Online threat: Hacker claims test results on Indore varsity portal can be tampered with
The websites of several leading varsities, including Devi Ahilya Vishwavidyalaya of Indore and Mumbai University, are vulnerable to hacking that can alter sensitive information stored on their databases, according to a white hat hacker.indore Updated: May 29, 2017 10:10 IST
The websites of several leading varsities, including Devi Ahilya Vishwavidyalaya of Indore and Mumbai University, are vulnerable to hacking that can alter sensitive information stored on their databases, according to a white hat hacker.
The white-hat or ethical hacker, who goes by the name Root_X_FlooD, contacted Hindustan Times and said the portal for Devi Ahilya Vishwavidyalaya’s (DAVV) Common Entrance Test (http://davvcet.in/) can easily be hacked and information like names, roll numbers and marks of students can be altered.
The hacker claimed the websites of several other universities are similarly vulnerable to hacking. “Even Vikram University in Ujjain, Mumbai University and IFTM University in Moradabad are vulnerable,” the hacker said.
The term “white hat hacker” is used to refer to a person who resorts to ethical hacking to expose vulnerabilities of a website while “black hat hackers” are those with malicious intents.
During an online chat, the hacker said: “I have access to the database of DAVV CET exam, Madhya Pradesh, and can change results.” He provided some screenshots to prove he had hacked the site.
The hacker claimed he had accessed the DAVV website’s administrator page that hosts the results of the common entrance exam. When students check their results at http://davvcet.in/Results.html, a query is sent to this database and the results are retrieved.
When a hacker changes results by accessing the database, the student will see an altered result and not the original one.
Imroz Khan, a software engineer at DAVV, clarified that the results uploaded on the varsity’s portal was only for display to students who sat for the entrance test.
Khan said that apart from the uploaded results, the university maintains a “a soft copy as well as a signed copy for admission and counselling purposes”.
“DAVV also shares the data with MP-Online and counselling is done using the MP-Online server. It may be noted that the MP-Online server has very strict security protocols and auditing system, which makes it virtually impossible to hack or temper. Effectively it is a four-tier system,” he said.
“Still, We are checking the vulnerability if any on our davvcet.in website,” he added.
The hacker claimed even if persons did not change the marks, they could access key information like the number of people who took a test, their full names, their parents’ names, phone numbers, email IDs, addresses, marks obtained, and other details such as date of birth. If a hacker has malicious intentions, this information can be sold to interested parties.
“If a bad guy gets hold of this, then students are gone. Even a black hat can take (money) to change results,” he added.
The hacker claimed he could hack the Mumbai University’s website and retrieve the student database but “it will be illegal and it will take time to bypass the mod security”.
Exposed to a virtual assault
The ethical hacker, called Root_X_FlooD, said several other institutions across India - such as Mumbai University - are also vulnerable to hackers
The hacker said that he has access to the database of the DAVV CET exam, Madhya Pradesh, and can change its results at will
However, Imroz Khan, a software engineer at DAVV, allayed fears by saying that the uploaded results were only for display to students who sat for the entrance test
He said the university additionally maintains a soft copy as well as a printed copy for administrative and counselling purposes.
(With inputs from Milind Lashkari)