Delhi University has decided to release an admit card through online mode. But this decision has led to the disclosure of the personal details of students.
The release of online admit card has disclosed bank account details and phone numbers of many students. Even though the administration was aware of this happening, still the system leaked information during publication time. Students of Delhi University said to the authority that anyone can access their admit card who knows the name, roll number, and college code. Anybody can get these details available on the mark sheet uploaded on the DU website. All the personal details of the students can be recovered from the admit card. Computer science students told the authority that the release of such information on the admit card can disclose more authentic data of students. The security researcher illustrated how the University is not taking care of the personal details of students. It is not safe to discuss this sensitive information without the permission of students.
A LINK WAS SHARED ON THE WHATSAPP GROUP TO DOWNLOAD ADMIT CARDS
Final year students are still left to appear for exams. So Delhi University said that it will send a link to colleges through which students can download their admit cards for open book exams. This initiative of sharing admit cards was started in the first week of July. A link was shared on WhatsApp for final year students of undergraduate and postgraduate courses. This link was accessed by many students undergraduate and postgraduate courses. Students realized that there is no unique identity or information needed to get access to the admit card. Only name, roll number, and college code is needed to download the admit card. That information can be accessed by anyone on the official site of DU. A computer science students exposed the insecure endpoint. The link was still accessible by the students.
FIRST YEAR STUDENTS CAN ALSO ACCESS THE LINK FOR DOWNLOADING THEIR ADMIT CARD
A student of Delhi University said that his college also accessed the same link given by the university. A first-year student said that he was able to download his admit card. He asked whether he has to appear for exams or not. He was able to access the admit card of his friend. This link was supposed to be accessible only to final year students. The student said that their personal details can be used to enter into Delhi University college portal. It showed the student’s name, attendance, marks, and even his sensitive information like bank details and Aadhaar card. The security researcher Karan Saini said that anyone having knowledge of the existence of the flaw and HTML functions and knows how to send an automated message can get accessed to a student’s personal details. He said he has alerted the head of the department, teachers, DUTA president and also sent the details on the same day.
He also sent information to the dealing assistant of the college. The Indian National Teachers Congress raised the issue to the authority and confirmed to Delhi University related to the seriousness of the breach.
The administration will never say no but will neither do anything. They are destroying public institutions and working as the instrument of MHRD. Shankar said that they did not acknowledge the sensitive information disclosed.
A COMPLAINT IS FILED AGAINST THE VICE-CHANCELLOR
The student received an acknowledgment of the report in which it said they are working on the appropriate actions and concerned authorities. He said the details of students of NCWEB was also exposed. The president of NSUI and DU student’s union former president filed a complaint against the vice-chancellor of Delhi University. They said that it can endanger the lives of students. The portal was finally taken offline and the new link was generated. They only changed the name of the folder. The admit card was still accessible and they did not put an emphasis on the actual issue.
The security researcher likened Delhi University’s response. As the University has to deal with many critical functions, the departments have to think about how personal details of students can be secured. He said that there needs to be some changes in the design that will ensure easy access to legitimate users and becomes harder for unauthorized individuals to misuse the information.
He further said that when the database grants much availability of information at a reasonable cost, it made the work of unscrupulous forces much easier.