The websites of several leading varsities, including Devi Ahilya Vishwavidyalaya of Indore and Mumbai University, are vulnerable to hacking that can alter sensitive information stored on their databases, according to a white hat hacker.
The white-hat or ethical hacker, who goes by the name Root_X_FlooD, contacted Hindustan Times and said the portal for Devi Ahilya Vishwavidyalaya's (DAVV) Common Entrance Test (
) can easily be hacked and information like names, roll numbers and marks of students can be altered.
The hacker claimed the websites of several other universities are similarly vulnerable to hacing. "Even Vikram University in Ujjain, Mumbai University and IFTM University in Moradabad are vulnerable," the hacker said.
The term “white hat hacker” is used to refer to a person who resorts to ethical hacking to expose vulnerabilities of a website while “black hat hackers” are those with malicious intents.
During an online chat, the hacker said: “I have access to the database of DAVV CET exam, Madhya Pradesh, and can change results.” He provided some screenshots to prove he had hacked the site.
The hacker claimed he had accessed the DAVV website’s administrator page that hosts the results of the common entrance exam. When students check their results at
, a query is sent to this database and the results are retrieved.
When a hacker changes results by accessing the database, the student will see an altered result and not the original one.
The hacker claimed even if persons did not change the marks, they could access key information like the number of people who took a test, their full names, their parents’ names, phone numbers, email IDs, addresses, marks obtained, and other details such as date of birth. If a hacker has malicious intentions, this information can be sold to interested parties.
"However it may be used, it is dangerous information to have. I mailed them (the universities) regarding the vulnerability, but they don't care. No one give a fu**," the hacker said.
"If a bad guy gets hold of this, then students are gone. Even a black hat can take (money) to change results," he added.
The hacker claimed he could hack the Mumbai University’s website and retrieve the student database but “it will be illegal and it will take time to bypass the mod security”.
He added: “Then we can do an sql query to get the columns. But I have left the cyber world now because right now I'm focussing on my studies. So I’m not doing that now."
Only for display purpose
Imroz Khan, a software engineer at DAVV, clarified that the results uploaded on the varsity’s portal was only for display to students who sat for the entrance test.
Khan told Hindustan Times that apart from the uploaded results, the university maintains a “a soft copy as well as a signed copy (printed copy) for admission and counselling purposes”.
"DAVV also shares the data with MP-Online and counselling is done using the MP-Online server. It may be noted that the MP-Online server has very strict security protocols and auditing system, which makes it virtually impossible to hack or temper. Effectively it is a four-tier system," he said.
"Still, We are checking the vulnerability if any on our davvcet.in website," he added.
(With inputs from Milind Lashkari)