Aram aramshiva

WRITEUP.md

The following is a write up for after a series of several vulnerabilities found in the Hack Club Clubs Dashboard. These vulnerabilities were found on October 23rd 2025.

Background

I was looking through the Hack Clubs Club Dashboard code after reading a wonderful writeup of another vuln for Clubs by @NeonGamerBot-QK. I noticed that all the code was in a singular 16000+ line main.py file, so I looked through this and found several vulnerabilities.

Hack Club has a amazing security program lead by 3kh0. This allows teenagers to earn money for security vulnerabilities they find in Hack Club code. The vulnerabilities found were reported through the Hack Club Security program.

Vulnerabilities

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.
They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.
I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in

Creating Hack Club Bank gource

Install gource and ffmpeg
```
brew install gource
brew install ffmpeg
```
Place bank-bg-dark.png in the root of your local copy of the Bank repo
```
cd /your/bank/repo/location
```

	Abkhazia
	Afghanistan
	Åland Islands
	Albania
	Algeria
	American Samoa
	Andorra
	Angola
	Anguilla
	Antarctica