I’m Aarav, a 14-year-old who enjoys exploring how systems and code work under the hood. Recently, while using PhysicsWallah (PW), I stumbled upon something interesting: I realized it’s possible to gain XP without actually watching the full video. Here’s the story of how I found it.
Exploring the Player
Like most platforms, PW tracks how long you watch videos to give XP and mark lessons complete. While playing around with the browser’s developer tools (Inspect → Console), I noticed two JavaScript objects:
window.videoStats
window.watchStats
Both of these contained values about the video’s duration, progress, and history.
The Flaw
I realized that these values weren’t just for display — the PW system actually trusted them. That means if you changed watchStats.progress or videoStats.isComplete, the site believed you finished the video.
Normally, this kind of logic should be handled on the server-side, where users can’t tamper with it. But in this case, the client-side (browser) code was in charge. Since the server seemed to accept whatever the browser reported, this opened the door to manipulation.
In other words: if the frontend says “Yes, I watched the whole 45 minutes”, the backend just says “Okay, cool” — even if you didn’t.
Proof of Concept
To test my theory, I wrote a short script that forged a “watch history.” Instead of just setting progress to the maximum, I made it more realistic by:
Splitting the video into multiple segments.
Adding small random pauses between them.
Updating timestamps to make it look natural.
Once I ran the script, the system accepted it. The XP was granted, and the video was marked complete.
What I Learned
This was my first time finding a real-world security design flaw, and it taught me an important lesson: never trust the client.
Frontend code is always visible and modifiable by the user. If critical logic (like XP tracking) happens only on the client, then anyone with some curiosity can change it. Proper validation must happen on the server.
Reporting It
I decided to do the responsible thing and emailed PW about the flaw. Even though I’m only 14, I felt it was important to share what I found so they can improve the platform.
Final Thoughts
For me, this wasn’t about cheating XP — it was about learning. I got to see how real-world systems can have weaknesses, and how developers can fix them. I hope PW addresses this, and I’m glad I had the curiosity to dig into it.
If you’re also curious about coding and security, here’s my advice: don’t be afraid to open DevTools, explore, and experiment. You’ll be surprised how much you can learn just by looking at how things work behind the scenes.
Written by Aarav
Top comments (3)
i found a similar glitch too. t turns out the pw sytem takes your local system time, as your watch time. if a video sarted on say 1pm, and when you leave the player, you system time in 4pm, it considers you have watched 3 hours worth of video. obviously you can chamge your system time manually, and gain xp easily. Reported the problem, and its patched i assume
Its not like that code doesn't see how much time your video player was running,
2 major things are how much times you skipped it (that is) in sec or min as well as at what playback speed video was watched.
I need that code bro 🙏🏻