NEW DELHI — Delhi University’s attempt to provide online admit cards for its examinations has inadvertently exposed the Aadhaar numbers and bank account details of thousands of students, HuffPost India has learnt.
At the time of publication, the system continues to leak this information despite it being brought to the university authorities’s attention 10 days ago on July 4.
On July 2, university students raised the alarm that DU’s online admit card system allowed each admit card to be accessed by anyone who had access to a student’s name, roll number and college code — details which were available to the public from marksheets uploaded on the DU website. Once accessed, every admit card revealed a student’s phone number, address and e-mail id among other details.
Now, a computer science student on campus has shown HuffPost India how information gleaned from the admit-card breach can be further used to dig out even more sensitive information like a student’s Aadhaar card and bank details.
This breach, security researcher Karan Saini says, illustrates how institutions like universities remain ill-prepared to safeguard the vast tranches of sensitive information gathered in their rapid quest to digitise their records.
In the third week of June, the Delhi University issued a notification saying it would send a link to its colleges for students to download the admit card for the Open Book Exam it would conduct online in July.
On the intervening night of July 1 and 2 a notification with the link began circulating on student WhatsApp groups.
It was the first time Delhi University had set up a link to issue admit cards online. These were for the final semester exams of final year undergraduate and post-graduate students.
When students began using the UG admit card link to log in and access their cards, they found that the process did not require any unique information. Each admit card could be easily accessed by anyone— all it needed was the student’s name, roll number and college code — details which were available to the public from marksheets uploaded on the DU website. Once accessed, every admit card revealed a student’s phone number, address and e-mail id among other details.
Vivek Prasad and Ribhav Pande, LLB students at the Campus Law Centre, noticed this on the morning of July 2 and began tweeting about the privacy breach. As it made news, the DU’s dean of examination dismissed the problem as a “fuss over nothing”.
This was bad enough but it was merely a glimpse of how substantial the breach was. That evening, the UG portal stopped issuing admit cards, saying it was in the process of setting up an OTP generation system.
But a computer science student at the university dug deeper and found that the insecure endpoint was still exposed. Even worse, the URL which the portal generated to issue the admit card could still be accessed.
The student, who has shared his findings with HuffPost India, said his own college had been provided the link to the admit card portal through the announcement section of its official website on June 22.
“I was able to generate my admit card (first year student - not supposed to give exams) on June 22. The vulnerability existed on June 22 as I was able to generate the same for a friend of mine and asked whether we were supposed to give the examinations or not, as the portal was supposedly to be used only by the final year students,” he said.
The student did not go back to check whether it remained open between June 23 and July 1.
However, on July 2 he investigated further.
“One can write a shell script that saves the admit cards locally as HTML files using cURL command to hit the endpoint,” the student said.
The student demonstrated to HuffPost India how the personal details could be used to enter the student login on DU college portals which showed students’ attendance records, mark sheets and sensitive information like their Aadhaar and bank account numbers.
Security researcher Karan Saini, who corroborated the information provided by the student, said, “Anyone with knowledge of the existence of this flaw, and knowledge of how the HTTP protocol functions, as well as how automated requests can be made and sent to web applications would have been in a position to gather student data.”
The student told HuffPost India, “I alerted my faculty, the head of my department, the principal of my college and the DUTA president of this issue (on July 2) and passed on the details to them the same day.”
The student also informed the Dealing Assistant (Science) of his college office on July 2. The college’s portal was taken down the next day.
On July 4, the Indian National Teachers Congress (INTEC) raised the issue with the administration. INTEC Chairman Ashwini Shankar confirmed the DU administration had been made aware of the seriousness of the breach.
Shankar had himself found out about it through WhatsApp groups formed with students to exchange information as the university building remained closed during the COVID-19 pandemic.
“They (the administration) had a stereotype reply that they will look into. They will never say no, but they will never do anything. They are working as instruments of the MHRD, doing nothing except destroying public institutions.”
Shankar said that the administration also did not acknowledge that sensitive information had been exposed.
On July 5, the student found that the insecure endpoint on the university site allowed him to access private details of post-graduate students as well. The same day he submitted a Vulnerability Report to the Computer Emergency Response Team of India (CERT-In), which falls under the Union Ministry of Electronics and Technology.
He received an acknowledgment of the report from CERT-In, which said: “We are in the process of taking appropriate action with the concerned authorities.”
Huffpost India has reviewed the email exchange.
Meanwhile, the student also found that the breach exposed details of the students at the Non-Collegiate Women’s Education Board (NCWEB).
On July 6, Akshay Lakra, president of the Delhi unit of the National Students’ Union of India (NSUI), and former DU students’ union president Arun Hooda filed a complaint with the Delhi Police urging action against the university’s Vice Chancellor.
“It is not just a blunder but also breach of privacy of students and endangers the lives of students in DU,” they said.
The portal for all colleges was finally taken offline some time in the evening on July 7 and updated.
But the student found that the new URL format, generated when LLB and PG students logged in for admit cards, still remains accessible. “They changed the name of the folder containing the application. They didn’t attempt to address the actual issue on the backend it seems,” he said.
Saini, the security researcher, likened DU’s response to applying a surface-level bandaid for a much deeper problem As the university takes more and more of its critical functions online, university departments need to think about how to secure the personal data and privacy of their students and teachers.
“There needs to be further thought applied in the designs of such systems to make them easy for legitimate users to utilise, and harder for unauthorised individuals to misuse or glean identifiable information from,” Saini said.
While the Delhi University did not acknowledge the breach or inform students of it, Saini said there was little an individual could do should the information be acquired by an attacker.
“The onus here should be on the affected institution to carry out a comprehensive investigation, to confirm or deny whether student data was accessed outside of that what was done in furtherance of the researcher’s efforts. Unfortunately, lawsuits filed by individuals affected by privacy breaches or security incidents are not as common in India as they are in the western world. In early 2019, Late Prof. Shamnad Basheer had filed a PIL against the UIDAI in response to media reports of Aadhaar data breaches, and that still remains to be one of the most prominent examples of legal action undertaken by parties affected by such incidents,” he said.
“When database systems give away a fair chunk of this information away at negligible cost (that is, of writing a script that can automate the process of downloading said information), it makes the work of unscrupulous forces that much easier,” Saini added.