The Discovery

On October 18th, 2024, what began as casual WhatsApp banter evolved into the discovery of one of the most significant data security vulnerabilities in DPS Bokaro's history. A seemingly innocuous endpoint in the school's digital infrastructure turned out to be an unguarded gateway to sensitive student information.

The Technical Breakdown

At its core, the vulnerability existed in an endpoint that required only a student's admission number to access their data. Here's where it gets fascinating - the admission numbers followed a predictable pattern:

format: xyz/dd/mm/yyyy
xyz = 3 digits
dd = day (1-31)
mm = month (1-12)
yyyy = year

The Impact Scale

• Approximately 6,000 students potentially affected
• 4 years of continuous exposure
• Multiple types of sensitive documents accessible:
• Results.pdf: Academic records, DOB, parent details
• Finance.pdf: Payment history, contact information
• Admit.pdf: Examination details
• Dummy.pdf: Complete admission forms with Aadhar details

The ERP Vulnerability Chain

The real kicker? This wasn't just about downloading PDFs. The exposed data created a domino effect:

• Default ERP passwords were based on birth dates (exposed in results.pdf)
• No rate limiting on login attempts
• Session management vulnerabilities
• Unencrypted sensitive data in cookies

The Resolution Timeline