Developer scrapes 200k+ students’ personal information, exam results after finding security flaw

By on

(Screenshot by Terence Huynh)

(Screenshot by Terence Huynh)

A developer has managed to scrape the personal information and the national examination results of over 200,000 students in India; after he found a security flaw in the Council for Indian School Certificate Examinations exam results website.

Debarghya Das, a software intern at Google, wrote on Quora that he initially tried hacking into the system before the day of the exam results were released in order to “quell [my friend’s] curiosity”. He had the URL and his friend’s student number. However, it didn’t work.

He tried again when the results were already out – using his friend’s student number – to see if he could scrape some results.

examresultshack2

“Viewing the source of the invalid page revealed some very poorly written and badly styled javascript. The javascript wasn’t separated away from the HTML into its own JS file (as is usually done). Neither was it minified. It was some sloppy web-work,” he wrote.

Das found that the results were not coming from a database. Instead, it was fetching them from another URL. While it was unindexed, so you wouldn’t be able to find it from Google (unlike a recent Telstra incident), it had no proper security mechanism whatsoever. Each page was stored under the student’s roll number – and all he needed to do was write a program within the school ID ranges and the student ID ranges, and store the results on his computer.

He managed to scrape the name, date of birth, ID number, school and exam results of 150,000 students undertaking the ICSE (national examination taken in the 10th grade) and 65,000 students doing the ISC (12th grade). And this is for the entire country.

“Not only was this a violation of any and all forms of privacy associated with something as personal as your examination marks, but a mass divulsion of all sorts of personal information – names, date of birth and school,” Das wrote.

“This was a privacy breach of the highest order – a technological blitzkrieg.”

And he did what all other nerds do when you have data – crunch some “badass numbers” and look at how well did this year’s students doing the ICSE; and plotted the mark distributions for the five most common subjects – English; History, Civics and Geography; Computer Applications; Hindi; and, Science. He also calculated the marks for Maths.

Das also claims to have managed to hack into the results for the CBSE – another exam board. However, the hack itself presented some challenges, such as fetching one million records, as opposed to thousands.

You can read the full story here.