It was the anxious request of two of his friends about their board exam results that made Debhargya Das, a young software engineering intern, to peep into the ICSE results before they were publically available. Shockingly, the incident which is described elaborately with graphs and description in his blog, has unveiled a long list of anomalies that has crept into the education system.
In his blog, deedy.quora.com, 20-year-old Das has stated how he had hacked into the Council for the Indian school Certificate Examinations (CISCE) website and was able to access the board exam results for the whole country.
According to Das, a Cornell University graduate, the site was a piece of 'sloppy web-work.' "Viewing the source of the invalid page reveals some very poorly written and badly styled JavaScript. The JavaScript wasn't separated away from the HTML into its own JS file (as it is usually done." Neither was it minified. It was some sloppy web-work."
"Acquiring the results of ICSE and ISE candidates looked extremely straightforward because the results page had no proper security mechanism whatsoever," said Das in his blog post titled 'Hacking into the Indian education system.'
According to him, the school-ID and student-ID appeared in linear order. "There were several slight intricacies-school IDs for the same school were different for the different examinations. Eventually, it seemed like ICSE school-IDs ranged from 4001 to 5568 and ISC School IDs ranged from 9001-9793. Student IDs always started at 001 and continued incrementally until the last student of that school," he said.
His task to retrieve the results was really simple as he just had to write a program which found the ranges and store the results in his computer. He said that within hours the whole results were available on his computer, in 'a bunch of comma-separated value files'.
Das gave a detailed statistical analysis of the entire country's result and also accuses the CICSE board of fraudulent mark distribution. "Whether they changed some results by plus or minus 1 or plus or minus 5 is irrelevant. Fact is, they changed some results."
Das also claims that he recently cracked into the CBSE class XII security and stated that the board also faces some serious security challenges.
Das, who declared that the motive of his public revelation was to expose the vulnerability of information on the web in India, said in a Mail Today report that he does not fear legal action. "I have only accessed data available in public domain. What I can definitely conclude is that regardless of whether marks were tampered with or arise out of a special policy decision, something is definitely wrong," he stated in the daily.
If the personal account given in Das' blog is to be held as true then the ICSE and CBSE boards which conduct the two most significant examinations in the country need to revamp their system from grassroots level. On a postive note, the ICSE website has started monitoring IPs since the news of the hacking broke out.