It Took Me Minutes To Hack Into These Sites And See Board Results Of 7 Lakh Maharashtra Students

Posted by Yuvraj Singh in Education, Staff Picks
June 15, 2017

A few days back, I was searching for some info about the ISC (class 12) marks distribution to support my argument with a friend that some boards are more liberal than others when it comes to grading. This led me to a 2013 blog post by Debarghya Das, then a Cornell undergraduate, in which he details how he ‘hacked’ into the ICSE (class 10) results. In the post, Das talks about the careless manner in which CISCE (the organisation that conducts ISC and ICSE examinations) had published the results online, and also exposed anomalies that pointed toward marks tampering by the board. At the time, many media outlets reported this as a violation of students’ privacy and as a major hacking incident, even though anyone with basic knowledge of web tech would tell you this wasn’t exactly rocket science. The data was just out there, waiting for anyone willing enough to steal it.

After reading the post, I decided to check out the CISCE website and see what improvements had been made to ensure no such breach happens again. I was greeted with a form asking the UID (Unique Identifier) of the candidate (a seven digit number, which CISCE introduced in 2014 in the wake of the 2013 fiasco) and a CAPTCHA verification field. While the UID can still be guessed by a bot, it is the CAPTCHA that I felt secured things pretty neatly. After all CAPTCHA (which, by the way, is a backronym for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’) eliminates the possibility of an attack by a bot, right?

WRONG. I decided to snoop around a little into the code of the page and found a glaring loophole. Without getting into the technical details, let’s just say that you can keep sending the same CAPTCHA response over and over again by using a bot, and the server won’t notice a thing! Wow!

So, here we are, a good four years later, and the CISCE is still employing inferior technology to handle the students’ data.

I cooked up a little script, and within a matter of minutes, I had the results of nearly 50,000 ISC students on my computer. If both ICSE and ISC are taken into account, that’s about two lakh students’ data at risk. And not just their marks, but their names and the schools they go to as well. Four years on, it seems the CISCE is still lax about the privacy of their students’ data, by not using appropriate measures to secure access to it.

And CISCE isn’t the only board that leaves students’ data vulnerable to the hands of data miners such as myself. The CBSE doesn’t employ any CAPTCHA verification, and on a previous occasion, I was able to access close to 7 lakh Maharashtra Board HSC (Class 12) students’ data. And while I’ve not had the time to look into each of the state board websites, the fact that the two of the boards with nation-wide candidature are so careless about students’ data is a real concern.

Online declaration of results makes it really convenient for students to access them, but the boards must work on ensuring that this convenience doesn’t come at the cost of privacy. Employing a secure CAPTCHA service, for example, can straightaway eliminate the possibility of such a large scale breach. Other measures need to be incorporated along with this to ensure students don’t end up checking others’ results – such as having randomised roll numbers (as done by CISCE).