As the Central Board of Secondary Education (CBSE) in India released the CBSE results 2024 for its class 10th and 12th examinations, a significant cybersecurity flaw was discovered on the official website. This vulnerability, identified by The Cyber Express, could potentially allow unauthorized individuals to view and alter students' examination results. The exams for Class 12 were held from February 15 to April 2, and for Class 10 from February 15 to March 13, conducted using traditional pen-and-paper methods where a total of 3,860,051 students appeared. Of these, 1,621,224 students participated in the Class 12 exams, while a significantly larger group of 2,238,827 students took the Class 10 exams. On Monday, students could access their results online by entering details such as their date of birth, roll code, and roll number. But the security loophole, discovered early this morning, could potentially lead to a massive CBSE data leak, affecting millions of students across India.  The vulnerability was first noticed early this morning when the results were supposed to be securely accessible to students and their families. The flaw on the CBSE website revolves around the exposure of administrative credentials and a technical misconfiguration in the SQL database system, specifically within a stored procedure called 'Getcbse10_All_2024'. To the average person, this might merely seem like a glitch, but it's a significant security flaw that provides an opportunity for malicious actors to manipulate and misuse crucial information, including outcomes. The ramifications are profound, as this vulnerability endangers the personal and academic data of countless students, potentially impacting their future opportunities.

CBSE Results 2024: Student Data Risk Explained

[caption id="attachment_68160" align="alignnone" width="2648"] The error message also includes connection string details, which are critical for connecting to the database but should never be exposed as they can lead to security risks.[/caption] The code message displayed on the website originates from a database query related to retrieving data concerning CBSE (Central Board of Secondary Education) Class 10 results for the year 2024. 'Getcbse10_All_2024' refers to a stored procedure in the database. A stored procedure is a prepared SQL code that you can save and reuse. In this case, it's likely a procedure intended to retrieve all data related to the CBSE Class 10 results for the year 2024. The procedure 'Getcbse10_All_2024' is expecting a parameter named '@admid', but it was not provided in the call to the procedure. The '@admid' likely stands for "Administrator ID" or a similar identifier that should be passed to the procedure to execute properly. The absence of this parameter means the procedure cannot run as intended, leading to an error. The error message also includes connection string details, which are critical for connecting to the database but should never be exposed as they can lead to security risks. provider=MSOLEDBSQL: This specifies the provider used for SQL Server. MSOLEDBSQL is a Microsoft OLE DB provider for SQL Server. server=10.***.10.***: This is the IP address of the server where the database is hosted. Knowing the server address can allow unauthorized users to attempt connections to the database. Database=****results**: This is the name of the database. Knowing the database name helps in directing queries and commands to the correct database. uid=cbseresults24; pwd=****************** : These are the credentials (username 'uid' and password 'pwd') used to authenticate to the database. With these credentials, an unauthorized user could potentially gain full access to the database, allowing them to view, modify, or delete data. Although the exposed data presents a significant risk, a researcher from the AI-powered threat intelligence platform, Cyble, noted that the threat potential is somewhat mitigated by incomplete information disclosure. “The IP address is internal and not public, which means that for a threat actor to extract information or gain access, they would need to engage in offensive actions like SQL injections or other methods. However, this does not diminish the seriousness of the exposed ID and password, which could still be exploited if the correct server address is discovered,” the researcher explained. The error message not only indicates a technical issue in the database query execution but also highlights a potential vulnerability. If exploited by an individual skilled in database management and privilege escalation, this vulnerability could allow unauthorized access to the database. Such unauthorized access could lead to various security risks, including data manipulation, deletion, or use for malicious purposes such as phishing or blackmail. Immediate steps should be taken to secure the database, which include changing the database credentials, reviewing logs to check for unauthorized access, and implementing better security practices like not exposing sensitive information in error messages or logs.

Why CBSE Matters

The Central Board of Secondary Education (CBSE) is a prominent national education board in India, overseeing both public and private schools. It is under the direct purview of the Ministry of Education, Government of India. The CBSE administers comprehensive examinations for students completing their 10th and 12th grades, which are crucial for advancing to higher education and professional pathways. The board is recognized for its rigorous curriculum and is influential in setting educational standards across the country. The Cyber Express has contacted officials at the Central Board of Secondary Education (CBSE) to notify them of a detected vulnerability. We inquired if they are aware of the issue, the causes of this glitch, and the steps they intend to take to address it. We are currently awaiting a response from the organization.

Technical Aspect of the CBSE Data Exposure: Potential Risks

The exposure of the admin database ID and password in the CBSE data leak opens up several potential risks. While none of these events have occurred, the exposure of such critical credentials could lead to severe consequences if not addressed promptly. 1. Unauthorized Access and Control: With the admin credentials exposed, there is a potential for unauthorized users to gain full access to the CBSE's SQL database. This would allow them to view, copy, and manipulate sensitive data, including examination results and student personal information. 2. Risk of Data Manipulation: The ability to alter data is a significant risk. Although no data has been reported as altered, the possibility exists. Unauthorized changes could include tampering with examination results or modifying student records, which could severely undermine the integrity of the CBSE's educational assessments. 3. Threat of Data Theft: The exposed credentials could potentially be used to access and extract sensitive information. This data, which could include personal details of students and staff, is at risk of being used for malicious purposes such as identity theft or fraud. 4. Potential for Operational Disruption: While no disruptions have occurred, the exposed credentials could be used to damage data integrity or lock out legitimate users, potentially causing significant disruptions to CBSE's operations and affecting educational activities. 5. Foundation for Further Attacks: The leak itself could facilitate further attacks. With administrative access, attackers could deploy additional malicious software, establish backdoors for continued access, or leverage the compromised database to launch attacks on connected systems. The situation remains fluid, and updates are expected as more information becomes available. Stay subscribed to The Cyber Express to learn more about the story as it proceeds. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

About a month ago, The PC Security Channel (TPSC) ran a test to check out the detection capabilities of Malwarebytes. They tested Malwarebytes by executing a repository of 2015 “malicious” files to see how many Malwarebytes would detect.

This YouTube video shows how a script executes the files and Malwarebytes blocks and immediately quarantines the majority of them.

Malwarebytes missed 34 out of those 2015 files, giving us a score of 98.31%. Many vendors would have been proud of that, but being who we are, we wanted to do better. So we asked whether we could have a look at the files we missed, and TPSC was kind enough to offer us that chance.

Two of the missed files were identified as PUPs. PUP is short for Potentially Unwanted Programs. The emphasis here is on Potentially because they live in the grey area of what people might consider to be acceptable. Some PUPs simply don’t meet our detection criteria.

Anyway, back to the review of the malicious files we missed. As you can see in the sheet below (click to expand), after a full review we were left with four malicious files that we missed and the two PUP-related files.

After circling back to TPSC, they graciously agreed with our assessment of the non-malicious files. That brings Malwarebytes’ score up to 99.8 % which is a lot closer to our usual performance in such tests. The four malicious files have all been added to our detections.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.