00:00Now, while the likes of Class 12 students are staring at their mark sheets in absolute disbelief,
00:05one question keeps coming.
00:08Could this have been avoided?
00:10On the program today, we are going to meet the boy who may have the answer.
00:15He's a Class 12 student himself, in fact, just finished his board exams.
00:19And months before the controversy blew up,
00:21he had already found critical vulnerabilities in a very portal that was used to evaluate the answer sheets.
00:31He flagged it.
00:32He warned the CBSC.
00:34He did everything right.
00:37But look where we are.
00:39That ethical hacker now joins us on the program.
00:43He has requested that his face be blurred.
00:46So let me just bring him on.
00:52Hi there.
00:53I also have a couple of other students and teachers with me,
00:57but let me go to him first.
01:01I want to understand from you, Mr. Ethical Hacker,
01:07why did you even think of sort of testing the system this time around?
01:13How did it start?
01:15So I started doing ethical hacking really young, when I was 13 or 14.
01:20And I was also attending 12 board exams this year.
01:25And when CBSC announced that everything will be done digitally,
01:29and there will be a portal and all,
01:31I looked up the circulars, and it just sparked my curiosity.
01:34The portal was online, and it wasn't IP-dated.
01:37Like, anyone with any IP address can access it.
01:39So I accessed the portal.
01:41I started playing with the network requests and stuff.
01:43But I didn't have any password or credentials to log in,
01:46as I'm not a teacher.
01:47That's normal.
01:49So I just, like, extracted the code,
01:51which is available on the front end of the website.
01:53I downloaded the code.
01:55I started reading what's in the code.
01:58And then I just used a search function.
02:02And then I just started reading the logic around passwords,
02:08OTPs, how they're being processed.
02:10And then I came across the most, like,
02:13the stress part, which was the master password being hard-coded.
02:16I used that password,
02:18and I could log in as any examiner with their user ID.
02:22So I tried to log in as an examiner.
02:25I recorded it, and I was successfully able to log in.
02:28And there was an option to change grades also.
02:30And I could grade papers myself.
02:32Like, I could put marks, as many marks I want,
02:34as much marks I want.
02:35So I recorded all of it,
02:37sent it to certain, like,
02:38computer emergency response team of Indian government.
02:41They asked for more details.
02:43I gave them all of the details I had.
02:44I also found other vulnerabilities
02:46after I got into their system.
02:49And I documented all of them.
02:51It was, like, five or six vulnerabilities.
02:53And I informed certain...
02:54How long did it take for you to identify these glitches?
03:00Not as long.
03:01Two or three hours max.
03:02The phone journal took, like, 30 minutes max, I think.
03:06Okay.
03:07So it took you 30 minutes,
03:10or maybe a little longer,
03:11to hack into the CBSC's answer sheet system.
03:16Now, help me understand,
03:17what all were the vulnerabilities that you found there?
03:20And this was done in Feb,
03:21if I'm not wrong,
03:22from what you told me?
03:23In February...
03:24Yes, it was in 25.
03:2625th.
03:26Okay, 25th of Feb is when you tried this exercise.
03:29You could hack into the system.
03:30You got the master password.
03:31And then you could log in as any teacher
03:33and make changes.
03:34What all changes could you make?
03:37I could change teacher's name,
03:39their phone number.
03:39I could see their emails.
03:40I also could, like, put bank details.
03:42There was an option for bank.
03:43I think CBSC paid teachers separately
03:45to grade the papers.
03:47I think that's why it was there.
03:49I could put marks on the sheets assigned to that teacher.
03:53That was the most scary part of all,
03:55like, in the system.
03:59Am I understanding you correctly
04:00that you could change the marks of students?
04:04Yes, I could.
04:05I could put grades in there.
04:06Like, there was an option
04:07to start checking the papers.
04:09I mean, I was impersonating an actual examiner
04:12and I could do anything an evaluator can do.
04:16All right.
04:17Am I...
04:17Okay, I'm asking you that again
04:19because I think you should make that clear.
04:21You're saying in February of this year,
04:24before the examinations actually took place,
04:27you hacked into the CBSC system
04:28and you could change the marks of whoever you wanted.
04:32Examinations were going on.
04:33Was going on.
04:35In the middle of it, you could change the marks.
04:37Yes.
04:39Okay, let me ask you this.
04:42Some 17 lakh students give this paper.
04:46When the re-evaluation opened this time,
04:48in the first three hours,
04:50three lakh re-evaluation requests had already gone.
04:55Now, we only know about the cases of these two,
04:58Vedant and Sanjana,
04:59that we just pointed out in the program.
05:01If the re-evaluation did take place
05:04under the same system,
05:06could it still be hacked?
05:07Is it still vulnerable as we speak?
05:11It was vulnerable last night.
05:13I reported five or six vulnerabilities.
05:16They only fixed one.
05:17And I sent another report last night.
05:19I found another vulnerability I found last night,
05:21which was really severe.
05:22And they took all the portals down.
05:25Like, there were five or six mirrors of the portal.
05:27And those are down to right now, as we speak.
05:32Okay, so you pointed out five or six discrepancies.
05:35One was fixed.
05:37And what was the reply?
05:39When you did flag it off,
05:41whose did you send out all your findings to?
05:45I sent it to certain.
05:46I also notified CVHC separately.
05:48I asked them,
05:49how can I report security vulnerabilities in a system?
05:52Back then, in February, they didn't reply.
05:55Certain just said, thank you.
05:56And they said they will flag it to CVHC,
05:58the vendor, whatever.
05:59I also notified the vendor,
06:01which manages the platform.
06:03They also didn't reply.
06:06No reply from them?
06:08No, no reply from CVHC or the vendor.
06:10Only certain reply.
06:12And that's just a simple thank you.
06:14So that's like an automated reply then?
06:17Not an automated reply.
06:18It's a human reply, I'm pretty sure.
06:20But it's just a boilerplate acknowledgement they sent.
06:23I see.
06:24Are you surprised now
06:26when all these paper marking mix-ups is happening?
06:29Or would you say you just saw it coming back then in Feb?
06:33I'm not really surprised
06:35considering how negligent they are.
06:38Yeah.
06:40And Nisagra, if I can say,
06:41you're a Class 12 student yourself?
06:44Yes.
06:45If you could hack it in 30 minutes,
06:48would you say there are
06:49several other kids like you
06:50who could have done it?
06:52Yes.
06:53Might be if someone just
06:55spent a little bit of time
06:56examining the site,
06:57how it's working and all.
06:58They could help.
06:59It wasn't really hard to hack.
07:00It was one of the easiest hacks of my life.
07:05It was one of the easiest hacks of your life.
07:08Yes.
07:09To hack into the CBSE.
07:10Yes.
07:11I also wrote about it in my blog.
07:13And it was really easy.
07:15You don't even need to know programming.
07:17You just need control plus F.
07:19Just look at the logic,
07:20how the password is being processed
07:21and just put the password.
07:22That was it.
07:23That was the first vulnerability.
07:25Others are more technical.
07:26But that was the master vulnerability
07:28anyone could have used to alter the grades.
07:32You are a class 12 student.
07:34Talk to me now,
07:35not as an ethical hacker,
07:36but a student.
07:39How do you feel
07:40when the exam you prepared so hard for
07:44is A, so poorly planned,
07:48and B, even when warnings are sent
07:53by ethical hackers,
07:54by people who mean well,
07:56by students who mean well like you,
07:59the system still looks the other way.
08:03I'm just speechless.
08:04I actually saw it coming
08:05because I have other friends who reported
08:07other vulnerabilities to Indian government long back.
08:10and they also didn't get in reply
08:11and they were also ignored
08:13and they also said
08:14this bureaucracy or this negligency.
08:18So I'm just not really surprised.
08:19I'm just disappointed.
08:20What can I even say?
08:23Do you want to say something
08:24to the CBSC heads,
08:26to the education minister today?
08:28I just hope that they take students
08:31more seriously,
08:32their privacy,
08:33their security more seriously
08:34because this is just pretty sad to see.
08:37This is a national level examinations.
08:39All the class 2 students are attending it
08:41and anyone can break in
08:43and edit the marks.
08:44It's just disappointing
08:47to see it on this.
08:49All right, Nisarga,
08:50thank you so much for speaking with us.
08:53Thank you for doing this.
08:55I'm sorry that the system failed you.
08:57We all know,
08:58we've all given class 10th
09:00to our 12th examination.
09:01We know how hard it is.
09:02We know what a harrowing time
09:03it is in a student's life.
09:06So thank you for doing the right thing,
09:08for warning the system.
09:10It is a system that has failed you today
09:12and that's a story
09:13that we'll have to pick up from here.
09:19All right, that is Nisarga.
09:23He is saying it took him
09:27precisely 30 minutes,
09:28that's all,
09:30to break into the system.
Comments