Ethical hacker finds critical bugs in CBSE's OSM portal, data at risk
Synopsis
A 22-year-old ethical hacker, Tirth Parmar, found critical vulnerabilities in CBSE's OSM portal, exposing data of 9.3 million students. He claims a skipped security audit left the portal open to hacks, data theft, or even ransomware attacks.
A 22-year-old Btech student and an ethical hacker, Tirth Parmar, claimed that he was surprised to find many vulnerabilities in CBSE's On-Screen Marking (OSM) portal, leaving the database with student information exposed.
Hacker Details Critical Vulnerabilities
Speaking with ANI, Tirth Parmar claims that the CBSE "skipped" the security audit, which left the portal with many critical bugs through which the portal could be hacked. "It was quite surprising because I was not expecting this many critical bugs. And there was an easy way to get into the system by just downloading the publicly accessible files, which had the passwords of the databases. So there were two ways of getting to the system. One was by guessing the URL, downloading the file, and basically getting the user ID of the databases and connecting to the server. And the other was a chain of multiple bugs, which I have exploited and reported to the authorities," he said.
"I think they have to do a security audit before releasing any version to the public, which I think they have to skipped, and that's why so many critical bugs were found in production," he added.
Explaining how he was able to get into the portal, Parmar said, "There were multiple bugs, like a hard-coded master password, which was the easiest way to get into the system as an admin. And I think they fixed it. But there are many critical bugs like SQL injection, and the few accessible files and APIs are not even working without any kind of authentication. And I was able to retrieve sensitive information without any kind of authentication from that."
CBSE Unresponsive Amidst Ransomware Warnings
A 22-year-old student said that he has approached CBSE about the shortcomings of the portal, but hasn't received any response yet. "Yeah, I have reported, I think multiple times, but I haven't received any response from them yet. They have to fix the bugs which many ethical hackers have contributed and submitted. They have to fix that first and do other security audits as well. And they could basically organise a bug bounty program or vulnerability disclosure program. So it could help," he said.
Warning that any unethical hacker can get into CBSE's database and read records or able to download it, he advised CBSE to ensure safeguards to prevent themselves from such attacks. "So if someone who is unethical, they can get into the database. They are able to edit or read any records or able to download it, or in the worst case, someone can do a ransomware attack and ask for a big amount of ransom from the government. So there was like 9.3 million records of the students who were at risk," he said.
He urged CBSE to fix the shortcomings of the portal to protect the database. "I will ask them to fix the issue which we have reported first, and then do a security audit by themselves or ask the other ethical hackers or any contributors as well," he said.
CBSE continues to face mounting pressure following reports of technical failures in its post-result portal and OSM discrepancies in evaluated answer sheets. (ANI)
Stay updated with the Breaking News Today and Latest News from across India and around the world. Get real-time updates, in-depth analysis, and comprehensive coverage of India News, World News, Indian Defence News, Kerala News, and Karnataka News. From politics to current affairs, follow every major story as it unfolds. Get real-time updates from IMD on major cities weather forecasts, including Rain alerts, Cyclone warnings, and temperature trends. Download the Asianet News Official App from the Android Play Store and iPhone App Store for accurate and timely news updates anytime, anywhere.