Google PlusFacebookTwitter

(Security?) Loophole on AIEEE Site!

By on Feb 5, 2008 in Tech Takes | 0 comments

Share On GoogleShare On FacebookShare On Twitter

This is something Naman pointed out to me, that the AIEEE website has now started uploading application status details in batches. It’s not according to the registration number you’d have got, it’s according to how early you sent in your application. I was a bit worried that mine might be rejected because the photo I’d sent didn’t have the date and time on it, but it seems they HAVE accepted it. Phew!

The curious thing is, although the earlier form printing page does carry out a low level check *at least* by asking the candidate’s date of birth (apart from the application number) before proceeding to show the details; the AIEEE 2008 application status page simply shows the details. And here’s the nice bit – it allows you to change the application details of abso-friggin-lutely any person. Don’t believe what I say? Here’s one application number I entered randomly – 424242 (gawd, I’d have loved to have that roll number!). It takes you to a page which shows the details, and if it has been uploaded gives you two options – ‘No Change’ and ‘Want To Change’.

AIEEE 2008 application status site loophole
As you can see, there’s the option for making changes. Click on the ones you want to edit, and make the change in the following page – and absolutely no authentication is done! The data has been changed on their system – all you need to do now is mail it to them. You need to include a photocopy of the original application too, but say, I’m hell bent on taking revenge from someone, then I can forge that too easily – since I’ve all the original data with me in the initial view. I felt really tempted to change 424242’s app to say ‘Arthur Dent’, but then, I don’t want to destroy someone’s career.

Even if someone goes and clicks ‘No Change’, it can mean trouble, because that can only be done once. Say your application had some mistake, and you want to correct and go to their site. Now if somebody has already entered that number (randomly?), and clicked ‘No Change’, then the site won’t allow you to change anything; saying that ‘You have already been to this page and asked for no change on ‘.

I tried my best to get in touch with CBSE (the organization conducting the exam) and NIC (the people maintaining the website), yet there has been no response from them. The main point here is that no ‘hacking’ is taking place because nobody is circumventing any ‘authentication’ as there IS none to speak of. You aren’t illegally accessing any ‘private database’ either – as everything has been put up for the public without following normal safeguards.

NIC, and CBSE in all their ingenuity, don’t seem to have bothered really to protect the interests of 7 lakh students across the country – and that’s their own number. It’s as bad as the case when MSN Hotmail once had a flaw in which if you typed in ‘eh’ as the password, you could access ANY goddamn Hotmail ID in the world. Except that in this case, careers are at stake.



Submit a Comment

Your email address will not be published. Required fields are marked *