Case of Privacy Breach by an University

UPDATE 14-07-2020 01:00 PM: HuffPost India published an article on the privacy breach (Delhi University Knew Privacy Breach Put Student Bank Account And Aadhaar Details At Risk) based on my demonstration of the vulnerability and the forensic data that I had collected. Karan Saini, a security researcher who earlier worked with the Centre for Internet and Society (CIS) and analysed the data, likened DU’s response to applying a surface-level band-aid for a much deeper problem. “There needs to be further thought applied in the designs of such systems to make them easy for legitimate users to utilise, and harder for unauthorised individuals to misuse or glean identifiable information from,” Saini said.

UPDATE 12-07-2020 08:30 PM: It appears from this report by Times Now that the vulnerability has not actually been fixed and data is still accessible without any form of authentication whatsoever. On Tuesday, the university took down the Admit Card Portal from where one could generate their admit cards. This article talked about a vulnerable endpoint that allowed anyone to access any admit card. This endpoint has changed to the following, all vulnerabilities and requirements remain the same. It is quite amusing to note that the only change done by the technical team at DUCC was the renaming of Admit_Card_Clink to Admit_Card in the URL.

https://examportal.duresult.in/StudentPortal/Admit_Card/Print_Admit_Card.aspx?CollegeCode=XXX&CourseCode=XXX&Rollno=XXXXXXXXXXX&Std_Name=&DB_Flag=DB

#DelhiUniversity ‘s website isn’t safe n secure and they talk about taking online examinations. Data breached on the online portal of #DU website. A lot of sensitive information could also be accessed from it.
@akshaylakra17 @nsui @guptar @Neerajkundan #SpeakUpForStudents

Originally tweeted by Arun Hooda đź’Ą (@pilotarunhooda) on July 12, 2020. Source: https://twitter.com/pilotarunhooda/status/1282310467009077248

Admit Card Details Accessed on Sunday Evening

UPDATE 11-07-2020 08:00 AM: The Kirori Mal College Portal is back online with the same vulnerabilities. This time, however, the link to view the admission form is disabled. This means that the Aadhar Number and Bank A/C Number is not viewable. This seems to be similar to putting a band-aid on a deeper injury, as the attendance information and personal details can still be viewed by adversaries.

UPDATE 10-07-2020 10:45 AM: Following media reports and complaints, Atma Ram Sanatan Dharma College and Kirori Mal College, both of which had similar college portals and are affiliated to the University, took them down on July 03 and July 10 respectively. The Portal of Janki Devi Memorial College, another constituent college of the University, still remains online and has similar vulnerabilities to the portals that were taken offline.

KMC College Portal on Friday Morning

UPDATE 07-07-2020 04:25 PM: At the time of updating this article, the University seems to have taken the Admit Card Portal offline, thereby addressing the issue. It must be noted that this vulnerable web application was functional from June 22, 2020 to July 07, 2020 and could have been misused in the mentioned time frame.

Endpoint as on Tuesday Evening

UPDATE 07-07-2020 09:55 AM: According to The Quint and India Today, a complaint has been filed against the Vice Chancellor of the University of Delhi (DU) over allegations of the varsity having leaked personal data of final-year students in admit cards issued ahead of the controversial online Open Book Examinations. The complaint, filed by former Delhi University Student’s Union President Arun Hooda at Maurice Nagar Police Station yesterday, says that the university has failed to maintain the trust of students. Hooda has filed the complaint on the behalf of National Students’ Union of India (NSUI). The Software Freedom Law Centre (India) was also notified about the technical details of the breach.

Police Complaint filed by Arun Hooda

UPDATE 05-07-2020 06:40 PM: Personal Details of students studying under the Non-Collegiate Women’s Education Board (NCWEB) are also publicly accessible and are exposed, as are the details of those studying at any of the constituent colleges, including the most prestigious colleges of the University.

UPDATE 05-07-2020 11:00 AM: The Indian Computer Emergency Response Team (CERT-In) has been notified about the data breach and vulnerability with the Common Weakness Enumeration CWE-284: Improper Access Control. They have acknowledged the receipt of the Vulnerability Report and are in the process of taking appropriate action in co-operation with the concerned authorities.

UPDATE 05-07-2020 09:40 AM: The University has made some superficial amendments to its Admit Card Portal by adding DoB as a credential to access the admit cards. On the technical side of things, this is apparently only on the front-end side of the portal. Data is still accessible via the vulnerable endpoint using the same parameters effectively CollegeCode, and CourseCode. The DoB is not required or verified at the back-end of the application. This portal is not only exposing details of UG students but also of PG (Graduate) students.

Admit Card Portal on Sunday Morning

UPDATE 04-07-2020 07:15 PM: It is disturbing to note that the admit cards of a number of postgraduate students are also available using the same endpoint. This is appalling keeping in view that information is priceless unlike precious metals in this day and age.

Admit Card of a PG Student

UPDATE 04-07-2020 06:05 PM: Following a brief outage, the endpoint is accessible yet again and can be accessed using the same parameters.

A Successful HTTP Request

UPDATE 04-07-2020 05:56 PM: The endpoint has been taken down this evening after repeated complaints. I thank everyone who helped raise the issue which prompted the institution to take the necessary steps. It was reachable this morning. The endpoint now resolves to the following:

Endpoint as on Saturday Evening

UPDATE 03-07-2020 08:15 PM: According to a local news website, the Dean of Examinations, did not see the privacy breach as a vital concern and seemed to rely on the (vague) “moral responsibility” of individuals. He went on to say that students are trying to create a fuss over nothing. According to the article, the portal had blocked issuance of admit cards by Thursday evening and said it was in the process of setting up an OTP system. This is not true as of the time of editing this article (Friday Evening). The endpoint mentioned in the article can still be accessed and admit cards are able to be downloaded which contains sensitive PII.

Admit Card downloaded on Friday evening
Admit Card downloaded on Friday evening

Individuals Affected: Undergraduate and Postgraduate Students studying at the University of Delhi

Type of Vulnerability: Disclosure of Sensitive Personally Identifiable Information

TL;DR The University of Delhi kept an insecure endpoint, which was meant to generate admit cards for the upcoming Open Book Examinations, exposed for about two weeks. An attacker is easily able to obtain PII consisting of the University Roll Number, Name, Father’s/Guardian’s Name, Date of Birth, Gender, Address, and Phone Number which can be used to gain access to Result Portals and Student Portals of its constituent colleges. It potentially violates the Section 72A of The Information Technology Act, 2000 of the Indian Constitution.

Primary Reason of Concern: PII can also be used to gain access to the college portals which host attendance, and sensitive information like Aadhar Numbers and Bank Account Numbers.

About Me: I wish to remain unnamed in any media coverage. Apart from that, I am a sophomore at Atma Ram Sanatan Dharma College, University of Delhi, majoring in Computer Science and Mathematics. My GitHub profile is https://github.com/sudiptog81 and you connect with me on LinkedIn at https://www.linkedin.com/in/sudiptoghosh99/.

Technical Details

The University uses the following scheme for assigning examination roll numbers to its students: Last 2 digits of the year of admission + College Code + Course Code + Unique 3 digit number for each student (e.g. 19003570xxx).

UPDATE 03-07-2020: Submitting the Form results in a Server Error

In order to generate an admit card, one had to populate this form with the examination roll number, the name of the student and an unique gateway password that was common to all students of a college.

To add to this, the examination roll numbers, the names and the gateway password was uploaded on the announcement sections of various college websites.

Information on Internal Assessment Marksheets
Information on Internal Assessment Marksheets
Gateway Password as Released by a College
Gateway Password as Released by a College

Upon submitting the form, the user is then redirected to the URL similar to the one given below:

https://examportal.duresult.in/StudentPortal/Admit_Card_Clink/Print_Admit_Card.aspx?CollegeCode=003&CourseCode=570&Rollno=19003570xxx&Std_Name=&DB_Flag=DB

It is interesting to note that it is possible to generate the admit card by navigating to the URL directly and changing CollegeCode, CourseCode and the Rollno.

An Example of Generated Admit Card
An Example of Generated Admit Card

The PII on the admit card is thereby available to the general public. All it needs is the list of College Codes and Course Codes, the Gateway Password is actually not required, nor is the Student Name.

These Codes are also available on public domain:

Proof of Concept

One can write a shell script that saves the admit cards locally as HTML files using cURL to hit the endpoint.

The downloaded web pages can then be parsed using the BeautifulSoup Python module and structured into a CSV spreadsheet using Pandas.

Analyzing this CSV spreadsheet using Exploratory Data Analysis packages, one can find information as depicted in a screenshot below:

Sample Data Obtained from Admit Cards

This data can be misused by individuals having malicious intent.

Potential Impact

The PII data can be used to gain access to the Result Portal and generate transcripts without the knowledge of a student.

Transcript Generated from Data
Transcript Generated from Data

The data can also be used to gain access to the college portals which host attendance, and sensitive information like Aadhar Numbers and Bank Account Numbers.

JDMC College Portal
Sensitive PII on College Portal
Sensitive PII on College Portal

The disclosure of such sensitive data to companies, organizations and bad players can cause immense devastation to the individual and can be used for spoofing, phishing, social engineering, doxxing and unethical tracking.

Demonstration

Sources

Leave a reply