The hall ticket numbers could be easily guessed and the poor cyber security of the website meant, it was easy to “brute force” and access data.

AP govt takes down inter exam website that leaked students Aadhaar data
news Cybersecurity Friday, February 21, 2020 - 10:54

Personal details of lakhs of intermediate students stored on the official website Andhra Pradesh Board of Intermediate Education was sitting duck for hackers to grab and sell online. The data stored on the website was stored behind poor security and could have been easily breached. The links to the student data have now been taken down by the Andhra Pradesh government.

France based cyber security researcher Robert Baptiste on Thursday tweeted to the Andhra Pradesh CMO claiming that one of the government website belonging to the BIE was leaking personal data of students including their Aadhaar numbers, photographs and details of parents. The security researcher told TNM that an AP government official reached out to him and he disclosed the issue to the official, the same day.

Lakhs of Intermediate students are expected to take the exams that are to commence on March 4. A total of 10,17, 600 students took the intermediate exam in 2019. The security vulnerability was found on the website of the AP BIE that was meant for intermediate students to access exam results using their hall ticket numbers.

 

 

Robert told TNM that these hall ticket numbers could be easily guessed and the poor cyber security of the website meant, it was easy to “brute force” and gain entry. “They should have added authentication, like a captcha and rate-limiting in order to remove the possibility for an attacker to brute force,” says Robert.

It was only in 2018 that phone numbers, email ids and addresses of thousands of National Eligibility and Entrance Test (NEET) applications were put up for sale online for Rs 2 lakhs by data brokers. Such student databases are sold by data brokers to advertisers and marketing agents, revealed an investigation by The Wire.

Robert says anyone who can write a code to crawl through the BIE website could have easily downloaded the data. "These students deserve privacy. Their Aadhaar number is personal information," points out the French hacktivist.

Officials with the BIE were unresponsive for comment but decided to take out the link that gave access to the student data. The officials took down the website after officials from the Information Technology & Communications (IT&C) Department and the Chief Minister's office got involved.

Robert opined that the problem could have been averted if the developers took privacy into account while building websites.

Show us some love and support our journalism by becoming a TNM Member - Click here.