Ross Ulbricht, Duolingo & sh1n4r

Ivano Somaini made a terrific discovery about Duolingo API. Let's dive into it.

by Maverick

Last updated 03-07-2023 -- 8557 views

1. Intro


On March 2nd Ivano Somaini made a post on Twitter showing how to take advantage of Duolingo’s API to check if an email address is associated with a Duolingo account:

add target e-mail as a parameter at the end of the following API URL: https://duolingo.com/2017-06-30/users?email=

Doing that leads Duolingo to yield in a JSON format (among others) the following data related to the target account:

  • Streak – A user's streak is a measure of how consistently they use Duolingo. A streak starts at zero and increases by one for each day the user completes a lesson.
  • Profile picture – For this field Duolingo’s API yields a URL with this structure //simg-ssl.duolingo.com/avatar/*******/*******. Somaini mentions that adding (without quotes) “/xxlarge” to this URL allows you to navigate to the avatar picture. Should be mentioned that if you get //simg-ssl.duolingo.com/avatar/default_2 it means there’s no profile picture associated with the email address you’ve inputed.
  • Learning languages, XP points and crowns – Duolingo’s API shows which courses the account has enrolled in. XP points and crowns give an idea of the progression on those courses.
  • hasFacebookId – Shows if the profile is associated with a Facebook account (true or false)
  • hasGoogleId - Shows if the profile is associated with a Google account (true or false)
  • id – Seems to be Duolingo’s user ID.
  • username – Username associated with the Duolingo’s account
  • hasPhoneNumber – Shows if the profile is associated with a phone number (true or false)
  • creationDate – This is a Unix timestamp (epoch time) that appears to show when the account was created. You can convert it here (https://www.epochconverter.com/).
  • name – Name associated with the account.
  • Location – User location (not sure if it’s vetted by Duolingo)
  • emailVerified – Shows if the email address associated with the account was checked by Duolingo (true or false).

Keep in mind that some those fields are common (e.g. username) and some are very rare (location data).

Below you find an example of this procedure and the avatar associated with the targeted email address.

Duolingo's API Query JSON response



Associated avatar picture



Let's check an example with location data included in the JSON:

JSON response with location data.


Besides, Twitter user @djnemec commented on Somaini’s original post (OP) stating that Duolingo’s API also delivers credit card info sometimes.

Source: https://twitter.com/djnemec/status/1631456723712999424/photo/1


Always remember the best protection practices: Using condoms and disposable credit card numbers.

As a side note, is it worth mentioning that we weren’t able to confirm (yet) that Duolingo’s API is currently delivering credit card info ourselves.

By the way, what Somaini didn’t mention is that the same procedure works for usernames too. So you can query Doulingo’s API to check if a given username is associated with a Duolingo account. Just add the subject username as a parameter at the end of the following API URL:

https://duolingo.com/2017-06-30/users?username=

Last but not least: if you’re going to try this method manually (wait for it), do it on Firefox to get a beautified JSON out of it.

2. Duolingo(ing)


So, what is Duolingo? As you probably know, Duolingo is a language learning website and mobile app.

With Duolingo users can learn languages and practice vocabulary, grammar, and pronunciation.

At the point this article was written, Duolingo offers 39 different language courses for English speakers.

Believe it or not you can learn high valirian on Duolingo.

Nyke Daenerys Jelmazmo hen Targario Lentrot, hen Valyrio Uepo anogar iksan. Valyrio muño engos ñuhys issa.

If you get the above Valirian quote, you are a person of culture.

Game of thronin' aside, let's get back to business: Duolingo uses a freemium business model but also offers a premium service that eliminates advertising and offers more features.

As of this write-up, Duolingo has generated more than $265.7 million in revenue in the past three quarters of 2022 and has over 500 million registered users (37 million are active once a month).

3. Shinar


URL manipulation is a great advantage point for OSINT investigations.

For instance, great tools like Sherlock takes advantage of URL manipulation to grab data from web services.

Black Owl Intelligence is a full blown fan of Michael Bazzel and, inspired by his work, created a virtual machine full of scripts to use in our OSINT investigations, with a twist to focus a bit more on the needs of LATAM.

With that in mind, today we are going to share with you a little piece of that virtual machine. A very simple python script to automate Somaini’s findings.

For your consideration, the Shinar.

Using an email address as input, shinar prints out on a Linux terminal the most relevant data presented by Duolingo’s API (if you want the full sh** you need to explore the URL manipulation on Firefox yourself).

4. Ross Ulbricht


If you are familiar with our work, you know we like to get our hands dirty. So let’s take Ross Ulbricht as use case.

Since you were able to find us here, you probably already know that Ross William Ulbricht is an American serving life imprisonment for creating and operating the darknet market website Silk Road from 2011 until his arrest in October 1st 2013.

Silk Road investigation is a long story and a brilliant one.

In Brazil, people have a saying when they face a long story: “Don’t tell me. I’ll wait ‘till it becomes a movie”. Well, guess what? Yeah… There’s a movie about the silk road investigation.

Long story short, the turning point in the investigation happened when was Gary Alford, an IRS special agent, finding Ross Ulbrich gmail address at a bitcoin forum (yes, you read it right. F****ng IRS! They are an awesome and underrated law enforcement agency with lots of tricks to teach us! Kudos to them!).

Screenshot


There’s a lot of OSINT that can be done with an email address but let’s run rossulbricht[@]gmail.com on shinar.

Shinar doing its magic.


That’s it. Looks like Ross Ulbricht was trying to learn Spanish on Duolingo. LoL

Worth noting that he (allegedly) created the account on 05/29/2013 (roughly 4 months before he was arrested) which score points for attribution matters.

This is just a silly example used to play with shinar but thing is: Duolingo’s API can yield sensitive Personal Identifiable Information (PII) like location and profile avatar.

It goes without saying that this kind of data can be paramount in an investigation.

5. Final Thoughts

No long texts today. Happy hunting.
And we hope you like shinar.

This article is in memory of S***e: the American Staffordshire Terrier that taught me daily to never give up a hunt. RIP my dear friend! We shared lovely moments. You shall never, ever, be forgotten.
03/19/2014 – 03/06/2023.