Tabroom Api Issue

Oct 25, 2024 min read

Background

What is Tabroom

Lets start off with what tabroom is incase you don’t already know. Tabroom is a website made by the National Speech and Debate Association (NSDA) to make tournament creation and management easier for organizers, coaches, and students. According to their website, there have been 10,000 tournaments held in the last three years which is amazing for a project maintained by such a small team (from my research there are two developers).

Tabrooms Big Issue

Tabroom besides being a crazy feat for such a small team was also built in pearl. The issue is that right now, developers don’t like pearl so less new developers have started using it. According to the NSDA, “Tabroom.com is written in a programming language [pearl] that has become obsolete”.

The Fix

Right now, Tabroom is being rewritten in a different more relevant programming language (it seems to be nodejs). This means that they have to rewrite hundreds of thousands of lines of code. For a small team that is a large task. Thankfully, they are not rewriting it all at once and instead rewriting small chunks.

What They Are Doing Now

Palmer (one of the main developers) is rewriting the backend to use NodeJS and specifically the mock trial part of tabroom.

What happened?

On October 9th 2024, I was trying to see what classes you could add to text in tabroom by modifying the request with Burpsuite and I noticed that inbox requests were going to api.tabroom.com. Since I had never seen the subdomain before, I went to check it out and found an OpenAPI Document. This gave me an idea, to make a search based on the results from the API.

The tiny flaw

The api, thankfully did not return student or coach info, nor did it let you add yourself to tournaments that you did not have permission to add users to. However, if you requested a tournaments info, it showed 2 important (and private fields): the tournament organizers notes to self and online rooms (zoom) info. On October 9th, I notified Tabroom support of the issue.

They responded:

I'm assigning this to a developer to take a look at - I will get back to you when I hear back. Thank you for giving us the heads up.

The Fix

On October 17th, the issue was fixed

The issue you noted has been addressed. Thank you very much for calling this to our attention! It is much appreciated!

What to Learn

Nothing is perfect. When you have a project of such scale changing anything could cause other side effects. But anyways, I think it’s great that tabroom is being rewritten into a language that is probably going to be here forever. But honestly, the main thing is just check fields before putting them into a public api. I would honestly also add required auth to the api just in case but other than that this was a fun thing to find and I’m happy that it got fixed.