It seems the popularly known “Oxford of the East” and “One of the Premier Universities in India” in its own words, takes absolutely no security measures for its website (not even basic ) as far as its online examination forms are concerned.
While registering for an upcoming exam on the University of Pune’s website (http://exam.unipune.ac.in/LoginDB.aspx), I found a common, but a very serious security flaw.
It is very surprising that the website has no encryption whatsoever! It means that any kind of form you fill-in, the data is sent in an unsecured form of plain-text (or clear-text) to the University’s servers. Most of the login forms use HTTPS as opposed to the HTTP protocol that is used here.
An HTTP login would be something like sending your username and password to a friend written on a post card, which can easily read by anyone along its delivery path.
If you have ever done any form of online shopping or internet banking, you would have noticed a padlock sign somewhere near the address bar. This means that the connection to that website is secure and cannot be intercepted or ‘read’ by anyone else.
For those unfamiliar with basic web security, Here is an example to show you the difference between a secure and an unsecure webpage.
Here is the SBI Internet Banking Login Page. Note the PadLock Sign in the upper left corner and the ’HTTPS’ in the URL.
Below the unsecure webpage in question (University of Pune Examination Login Page)
PROOF – As I mentioned earlier, any data passing through an unsecured channel (HTTP) can be easily ‘read’ or intercepted. To show a demonstration of how this actually works, I am going to capture all packets in the network on which a user (which in this case is me) is accessing the university’s website.
For test purposes, we are going to use the username – ‘testuser123’ and password – ‘testpassword’ on the web page in question.
For this illustration, I am using an open-source packet capture utility called ‘Wireshark’
At this point, I have begun the packet capture, clicked on the ‘Login’ button, and Voila!, we have the username and the password that was entered in the login form.
Note the line “User=testuser123 ?&txtPass=testpassword” in the screenshot above. Also note the destination IP address which is the website’s IP address “18.104.22.168”
As you can see, it is very easy to capture packets and retrieve usernames and passwords of ALL the users in a network that are using an unsecured login form like this.
This is not only a problem with the student’s examination forms, but also a problem with the Colleges Login pages! (http://bcud.unipune.ac.in/Login.aspx)
As of this moment (while conducting this test), the website does not accept HTTPS connections, on any page.
Some Frequently Asked Questions:
1) Who is at risk?
A) Short Answer – Everyone - all students, colleges that are affiliated to the university, teachers and even various departments of the university itself who use the website.
2) What is the risk?
A) Once an attacker gains the sensitive information, depending on whose credentials have been captured (colleges’,teachers’ or students’), the extent of damage is only limited by the attacker’s imagination.
For example, should the attacker gain a student’s credentials, he can have access to things like his full name, address, date of birth and other personally identifiable information. Moreover, he can also make changes in the student’s profile, cancel his application for the examination, or even modify the student’s application to choose a different subject altogether.
If the attacker gains access to the college’s credentials, he can even attempt to add/remove the college’s affiliation to the university.
Moreover, most of the users tend to use the same password as their other email accounts on the website, as it is easy to remember a single password. This can have dire consequences, as not only their university’s account is compromised, but all other accounts that use the same password.
3) Is using the website always unsafe?
As long as you are on a private network like your home computer or on a 3G connection, you are less susceptible to these type of sniffing attacks.
The problem is, which is why I took the trouble to write this post, is that most people use public networks like college Wi-fi, computer labs, E-Library or cyber-cafes to get their examination forms printed.
4) What is the solution to this problem?
The university will have to purchase a Wildcard SSL certificate that hardly costs between RS 10,000 to RS 20,000, depending on the number of domains and subdomains they want the SSL certificate for. Once they have the certificates, they will have to configure their back-end (which is most likely Microsoft’s IIS) to use HTTPS and will have to install the SSL certificates.
The only question remains, is that why isn’t the university using secured webpages when it is so obvious?
Anyone with little knowledge in computer networks and web technologies can see how obviously unsecure the forms are.
So are they (UoP) aware of this situation, but are not willing to fix it? Don’t they take internet security, and user privacy seriously?
I really hope they do, as this is a major cause of concern that needs urgent attention.
If you are in anyway affiliated with the University of Pune (college/professors/students) and value your internet security, please bring it to the university’s attention by sharing this article with as many people as you can.
Until this problem is fixed, avoid using public internet (cyber cafe’s, free Wi-Fi hotspots etc.) at all costs!
Share this article
No related posts: