Open in app

Sign in

Write

Sign in

User Awareness: Unauthenticated Request on Duolingo

Steve Matindi
3 min readMar 8, 2023

Duolingo neighborhood stalker: Ann, I saw on your status you were telling people that you’ve been using Duolingo for over two years instead of just a week. Haha! You lied to them you daughter of an angel! So good at lying. Why?

Ann: Mscheeew! How did you even figure out the date I joined Duolingo?

Duolingo neighborhood stalker: I checked your account through this thing techy guys call an API. You should try it out sometime. You know, just for the fun of it 😃.

Ann: Wait, whaaaaaaat! How? You must be lying.

Duolingo neighborhood stalker: Nope! Let me show you how. Tighten your seat belt, and let me take you on a journey deep into the inner architectural beauty of the Duolingo veins “API”, and how I was able to suck your private data off it.

Just like that, woof! woof! time to suck Duolingo user data again.

Extracting Duolingo Private User Data

Before we even start extracting the data, the first thing we need to ask ourselves is, “What in the earth is definitely flat, is this thing called Duolingo app? and why even is it of any importance?

Well, Duolingo is a popular Language learning app available on both the web and app. As of 2023, Duolingo has reported OVER 500 million registered users (active/non-active) worldwide.

Yes, you heard that right. Oooover 500 hundo million users :)

In my short demo below, I’ll be using Duolingo’s public API to try and extract any juicy PII such as name(s) of the user, the user’s location(country), a passport of the user(if one is set as profile image), language of the user and the date user joined the app.

The API endpoints used in the demo are:

(i) Finding User data by username(add username after ‘=’ sign):

 https://www.duolingo.com/2017-06-30/users?username=

(ii) Finding User data by email(add email of the user after ‘=’ sign)

https://www.duolingo.com/2017-06-30/users?email=

(iii) API Version info (Just a bunch of info about the API)-

https://www.duolingo.com/api/1/version_info

Sites used to get sample data for the demo:

a)Duome — A site that lists stats of Duolingo Users.

https://duome.eu/

b) Unix Time stamp — A site that converts epoch time to date time.

https://www.unixtimestamp.com/
  • To enlarge an image, in the picture link, all I had to do is add “/xxlarge” at the end to view the profile image of the user in a large view.

Fields I concentrated more on:

  1. name : To know actual names of the sudo user.
  2. profileCountry : This gives as a possible location where user is located.
  3. picture : We get the passport of the user if one is set.
  4. fromLanguage : We understand his/her language.
  5. creationDate : This is the date he/she joined Duolingo. Time is in unix timestamp and should be changed in date format to be easily readable.

Note: As an authenticated user you can get a lot more juicy data than what we saw as unauthenticated one.

My point: If you value your privacy and don’t like sharing a lot of information about yourself, you should change those info in your Duolingo’s settings to limit what information users can query about you and or gather data about you.

Stay safe and continue learning different languages.💙

Osint
Duolingo
Security
Privacy
API

--

--

Steve Matindi

Written by Steve Matindi

129 Followers

“Knowing is not enough; we must apply. Wishing is not enough; we must do.” — Von Goethe

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams