alt Hacker NewsExposing Critical Vulnerabilities in CBSE's On-Screen Marking Portal
Comments
Big oof.
A master password shipped in client-side JS.
A fake OTP authentication process - "the server sends the OTP back...and the [client code] compares what you typed against that value locally before letting you through"
And it gets worse after that.
Author here, thanks for posting about it :)
India's education sector is a real shit-show. The rot starts at the bottom: students that resort to cheating, the endless question paper leaks of national level examinations, and curricula that are stuck in the past. All these lead to the problem that affects the country's economic and social development: a lack of foundational research in frontier science and technology, where the country is always a follower and never a leader.
Maybe these things are to be expected, given that even the Prime Minister's academic credentials are suspected to be bogus.
This is unbelievable!! At a certain point surely doing things the right way would be easier or more clearly correct? Like, if you were implementing this you’d obviously know that it’s insecure right??
It's getting real hard to apply Hanlon's razor ("assume ignorance before malice") when it comes to egregious incompetence like this.
I wonder if this particular backdoor (front door?) has been used before; perhaps there are black-hat services that sell grade upgrades.
To note, this is the largest board of education in India, the most populous country in the world - some 29,000 schools are affiliated to it and millions of students enrolled in a curriculum designed and controlled by the CBSE