Though the state government had asked the board to temporarily take down the website till the security issues are resolved, it has been learned that board officials are adamant to retain the website as it is.Thiruvananthapuram: The Kerala State IT Mission has found serious security flaws on the website of the Board of Technical Education. It has been found that the website www.tekerala.org is vulnerable to severe breach of data involving vital information pertaining to the students.
With the current system in place, hackers can easily gain access to the website. Student data can be passed on without encryption and the passwords demanded on the site can be easily guessed by anyone. The IT mission claimed that all the vital information on students can be downloaded with just two clicks.
Shockingly, no steps have been taken by the authorities concerned to rectify the technical issues even 10 days after the flaws were highlighted by an 'ethical hacker' on a dedicated Facebook page called the Cyber Sword. Earlier, in January the IT Mission officials had also provided the security audit report on the website.
Though the state government had asked the board to temporarily take down the website till the security issues are resolved, it has been learned that board officials are adamant to retain the website as it is. Citing exams, the board said that it cannot down the site at this juncture.
The ethical hacker, who pointed out the security issues on the Facebook page, has also put up a detailed video showing how to edit the information provided by students after getting into the site.
Security flaws found by IT Mission
SQL Injection (SQLi)
SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server. On the website, www.tekerala.org, SQL Injection was carried out 20 times using eight links.
Cross-site scripting (XSS)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Two links were found in the website exploiting this vulnerability.
Prone to password-guessing attack
Password-guessing attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. The website lacked any security features to prevent this threat.
Lack of encryption
Encryption is the most effective way to achieve data security. To read an encrypted file, one must have access to a secret key or password that enables you to decrypt it. The website used unencrypted data, i,e,, plain text.
Insecure root folder
An attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. Just by couple of clicks all information can be downloaded.
Read more: Latest Kerala news
