Ransomware

CBSE Results 2024 Threatened: Vulnerability May Compromise Student Scores

The security flaw on the CBSE website revolves around the exposure of administrative credentials and a technical misconfiguration in the SQL database system.

by Editorial May 13, 2024 in Firewall Daily Reading Time: 5 mins read 0

587 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

As the (CBSE) in India released the for its class 10th and 12th examinations, a significant cybersecurity flaw was discovered on the official website. This vulnerability, identified by The Cyber Express, could potentially allow unauthorized individuals to view and alter students' examination results.

The exams for Class 12 were held from February 15 to April 2, and for Class 10 from February 15 to March 13, conducted using traditional pen-and-paper methods where a total of 3,860,051 students appeared. Of these, 1,621,224 students participated in the Class 12 exams, while a significantly larger group of 2,238,827 students took the Class 10 exams. On Monday, students could access their results online by entering details such as their date of birth, roll code, and roll number.

But the security loophole, discovered early this morning, could potentially lead to a massive CBSE data leak, affecting millions of students across India.  The vulnerability was first noticed early this morning when the results were supposed to be securely accessible to students and their families. The flaw on the CBSE website revolves around the exposure of administrative credentials and a technical misconfiguration in the SQL database system, specifically within a stored procedure called ‘Getcbse10_All_2024'.

To the average person, this might merely seem like a glitch, but it's a significant security flaw that provides an opportunity for malicious actors to manipulate and misuse crucial information, including outcomes. The ramifications are profound, as this vulnerability endangers the personal and academic data of countless students, potentially impacting their future opportunities.

CBSE Results 2024: Student Data Risk Explained

The error message also includes connection string details, which are critical for connecting to the database but should never be exposed as they can lead to security risks.

The code message displayed on the website originates from a database query related to retrieving data concerning CBSE (Central Board of Secondary Education) Class 10 results for the year 2024.

‘Getcbse10_All_2024' refers to a stored procedure in the database. A stored procedure is a prepared SQL code that you can save and reuse. In this case, it's likely a procedure intended to retrieve all data related to the CBSE Class 10 results for the year 2024.

The procedure ‘Getcbse10_All_2024' is expecting a parameter named ‘@admid', but it was not provided in the call to the procedure. The ‘@admid' likely stands for “Administrator ID” or a similar identifier that should be passed to the procedure to execute properly. The absence of this parameter means the procedure cannot run as intended, leading to an error.

The error message also includes connection string details, which are critical for connecting to the database but should never be exposed as they can lead to security risks.

provider=MSOLEDBSQL: This specifies the provider used for SQL Server. MSOLEDBSQL is a Microsoft OLE DB provider for SQL Server.

server=10.***.10.***: This is the IP address of the server where the database is hosted. Knowing the server address can allow unauthorized users to attempt connections to the database.

Database=****results**: This is the name of the database. Knowing the database name helps in directing queries and commands to the correct database.

uid=cbseresults24; pwd=****************** : These are the credentials (username ‘uid' and password ‘pwd') used to authenticate to the database. With these credentials, an unauthorized user could potentially gain full access to the database, allowing them to view, modify, or delete data.

Although the exposed data presents a significant risk, a researcher from the AI-powered threat intelligence platform, Cyble, noted that the threat potential is somewhat mitigated by incomplete information disclosure.

“The IP address is internal and not public, which means that for a threat actor to extract information or gain access, they would need to engage in offensive actions like SQL injections or other methods. However, this does not diminish the seriousness of the exposed ID and password, which could still be exploited if the correct server address is discovered,” the researcher explained.

The error message not only indicates a technical issue in the database query execution but also highlights a potential vulnerability. If exploited by an individual skilled in database management and privilege escalation, this vulnerability could allow unauthorized access to the database.

Such unauthorized access could lead to various security risks, including data manipulation, deletion, or use for malicious purposes such as phishing or blackmail.

Immediate steps should be taken to secure the database, which include changing the database credentials, reviewing logs to check for unauthorized access, and implementing better security practices like not exposing sensitive information in error messages or logs.

Why CBSE Matters

The Central Board of Secondary Education (CBSE) is a prominent national education board in India, overseeing both public and private schools. It is under the direct purview of the Ministry of Education, Government of India.

The CBSE administers comprehensive examinations for students completing their 10th and 12th grades, which are crucial for advancing to higher education and professional pathways. The board is recognized for its rigorous curriculum and is influential in setting educational standards across the country.

The Cyber Express has contacted officials at the Central Board of Secondary Education (CBSE) to notify them of a detected vulnerability. We inquired if they are aware of the issue, the causes of this glitch, and the steps they intend to take to address it. We are currently awaiting a response from the organization.

Technical Aspect of the CBSE Data Exposure: Potential Risks

The exposure of the admin database ID and password in the CBSE data leak opens up several potential risks. While none of these events have occurred, the exposure of such critical credentials could lead to severe consequences if not addressed promptly.

1. Unauthorized Access and Control: With the admin credentials exposed, there is a potential for unauthorized users to gain full access to the CBSE's SQL database. This would allow them to view, copy, and manipulate sensitive data, including examination results and student personal information.

2. Risk of Data Manipulation: The ability to alter data is a significant risk. Although no data has been reported as altered, the possibility exists. Unauthorized changes could include tampering with examination results or modifying student records, which could severely undermine the integrity of the CBSE's educational assessments.

3. Threat of Data Theft: The exposed credentials could potentially be used to access and extract sensitive information. This data, which could include personal details of students and staff, is at risk of being used for malicious purposes such as identity theft or fraud.

4. Potential for Operational Disruption: While no disruptions have occurred, the exposed credentials could be used to damage data integrity or lock out legitimate users, potentially causing significant disruptions to CBSE's operations and affecting educational activities.

5. Foundation for Further Attacks: The leak itself could facilitate further attacks. With administrative access, attackers could deploy additional malicious software, establish backdoors for continued access, or leverage the compromised database to launch attacks on connected systems.

The situation remains fluid, and updates are expected as more information becomes available. Stay subscribed to The Cyber Express to learn more about the story as it proceeds.

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button