--- date: 2022-06-07T22:11:49Z aliases: [] categories: ['exploit'] series: ['hacking'] tags: ['bug'] patched: true chroma: false toc: true title: Duolingo Xp Exploit description: I found a bug in the Duoling app for iOS that let's super/pro users instantly complete speaking only lessons. --- {{< raw >}} {{< /raw >}} It's possible for super/pro users to instantly complete speaking only lessons on iOS. ## How to reproduce 1. Make sure the Duoling app does *not* have microphone access. 2. Start a round of "Perfect Pronunciation" in the "Practice Hub". 3. Click continue and when prompted for microphone access, just click cancel. 4. Profit. (Instant perfect lesson!) ## Summary The bug here seems to be that the first in app prompt for microphone access does nothing, except telling the end user to *please* give up mic perms. Later we do actually get that iOS prompt on the first actual lesson. The Duoling app skips all the speaking lessons as it usually would when denied microphone access. But this of course is a big problem when all the lessons are speaking lessons. The end result is an *almost* instant perfect lesson!~