TurnItIn.com was starting to be a thing when I was in high school. I found out it didn’t sanitize the papers you upload and had no CSRF protection, so I could upload a doc with inline JavaScript to hit the change-password and logout APIs.

Was pretty impactful for my education, just not in the intended way