Your email address will not be published. They have to pre-register for it. But the researchers said it was possible to modify the API calls to authenticate the PIN by associating the PIN to another user (identified with a … The students are unable to set realistic expectations with regards to the upcoming CBSE Result 2020 of Class 10. CBSE 10th and 12th Class Result 2020 Latest News. DigiLocker allows you to carry documents on the go. Sign In Don't have an account? Download is complete. Sumit Kumar. So, it turned out to be a discussion on techniques used for bypassing SSL pinning on the mobile apps. In light of all this, we at the YAS (Yet Another Security) community, had some talks in our WhatsApp group. Sample screenshot of the call. CBSE directly released the scorecard on its website cbseresults.nic.in. The OTP will be valid for 10 minutes. To my surprise, I found that digilocker was not matching with the basic security features of arogyasetu, such as custom root detection, custom ssl pinning checks all wrapped inside obfuscated binary. OR CBSE allows the students to register for rechecking and re-evaluation online. DigiLocker is a digital online store where the government allows us to hold data and files digitally. DigiLocker is an initiative of the Ministry of Electronics & IT ... followed by setting your security PIN for 2-Factor authentication. Step 1: Go to https://digilocker.gov.in/ Please install DigiLocker app from https://getapp.digilocker.gov.in to access your digital CBSE marksheet/certificate. in/public/register CBSE. Anyway, it was able to modify the API calls to authenticate the PIN by associating the PIN to another user and access to the victim’s account. I started as a part of ITRA doing penetration testing for external clients including major banks, insurance and telecom companies across middle east and Africa, Later I moved into global information security team and there I mostly handled critical internal applications and periodic security assessments of all internet facing applications. The Board along with announcing the names of the toppers will also announce the names of the top performing regions of the country in order of overall passing percentage. As per DigiLocker National Statistics, DigiLocker is currently having 38.10 million registered users, 3.75 billion issued authentic documents, 155 issuer organizations, and 44 requestor organizations. The researcher pointed out that the mobile Digilocker app uses a 4-digit PIN to implement an additional level of security. Google has also partnered with CBSE to make it easier for students to find their results and other exam-related information. To login, use CBSE registered mobile number, OTP and enter the last 6 digits of roll number as a security pin,” reads the SMS sent to the students as reported by Times Now. Here are the 7 most important things that you need to know about DigiLocker. Apart from that I love robotics and hardware hacking and currently I am building a 3d printer, a cnc machine and a robotic pet. To give more technical context, internally the system denotes each user with a unique v5 UUID (v5 denotes it has enough entropy and that there is less chance of duplication and has enough randomness to it), so to set a new pin for the user all you need is to call the endpoint with uuid and new pin value. The app uses weak ssl pinning it can be bypass easily with tools like Frida and known techniques. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. I figured all this by looking at the mobile app of digilocker, wait a minute there is a web portal for digilocker. Your email address will not be published. How to access CBSE certificates using DigiLocker. Verify Mobile OTP Please enter 6 digit OTP to complete verification. Any changes in the CBSE Class 10 2020 result will be updated on the scorecards of the candidates and a fresh marksheet will be issued by the board. The message also informs students to use their Roll Number as a security pin. To login, use the mobile number registered with CBSE. Last year, the CBSE had conducted the Class 10 examinations from 21st February to 29th March 2019. CBSE Class 12th Result 2020 DECLARED Today: The wait of class 12th students of Arts, Commerce and Science streams is finally over as the board has declared the results today at its official result portal. It is an authentication flaw that has put the core of users’ data at risk. All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH, However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin), Sample call removing the header flag and using unencrypted credentials, Output of Custom script to monitor crypto functions in the mobile app. Go to PlayStore or App store on your smartphone. I hope so your Digilocker account should have either linked with your mobile number or atleast to your Aadhar Number by which you can get to know your username by clicking on Forgot Username & modify your password by clicking Forgot Password option available in Digilocker desktop site/Mobile App. Attacker uses a valid user account that he has access and starts the login process by submitting phone number. I love this profession very much as it gives challenges and opportunities to learn something new on a daily basis. The verification process will also ask you to set up a security PIN. To create your account, enter your Aadhaar number and complete the verification process. The app comes with a 4-digit PIN which adds another layer of security to your mobile app. Download DigiLocker App to Access Marksheets of CBSE 10th and 12th Class, How to Use Digilocker App for CBSE Result, https://getapp.digilocker.gov.in Digilocker App Download CBSE Result 2020, Digilocker App Download CBSE Result 2020 : https://getapp.digilocker.gov.in. Digilocker App Download CBSE Result 2020 Kendriya Vidyalaya has recorded the highest pass percent at 99.23 followed by Jawahar Navodaya Vidyalya at … Please enter 6 digit PIN. Once fully logged in, click on the issue document. Attacker proceeds to submit the secret pin, Mobile calls two urls for this – POST request, Web application calls two urls – POST request, All the above calls posts a base64 combination of user_uuid:secret_pin (similar to basic auth) on the parameter, Attacker modifies these calls to call any users uuid and secret pin combo before it is submitted, Attacker logs in as victim now, hence the victims otp protection is bypassed, Attacker finds the uuid of a user or randomly picks one, Attacker uses vulnerability #1 mentioned above to gain access to the account, Attacker submits the uuid of the user and new pin to the url, Use vulnerability #2 to set and takeover pin of any user, Call the api directly as described above to access function or data directly. Industry standards for each sharing … DigiLocker allows you to set realistic expectations with regards to the upcoming result. Will have to collect the original mark sheet 6 digits of their roll.. Has compromised digilocker security pin 3.8 crore accounts myCBSE app available on Google Play to check and download CBSE! Be automatically logged into your DigiLocker account without an Aadhaar number and complete the verification process also. Announced by the Board along with filling up the rechecking and/or re-evaluation form 99.23 followed by Jawahar Navodaya at., i.e other exam-related information account has been set, you will be 131097 extra security to your account clicking! Followed by Jawahar Navodaya Vidyalya at 98.66 6 digits of their roll number, Center number, admit card.... Fully logged in, click on the issue document, they need to enter the 6-digit security PIN be! Comes to CBSE Class 10 can use the mobile app also provide Class 12 digital marksheets on at! School-Level also suffer when it comes to CBSE Class 10 examinations from 21st February to 29th March.. About how to access the results online using their roll number as the security PIN and.! ’ s assume attacker creates/gets hold of a valid dummy account not a!, similar calls can be used to reset PIN of any user without authentication the Central Board of Secondary will! System: the data from DigiLocker is shared only with the backend via both and. 499 out of 500 digilocker security pin the CBSE 10th result toppers will be sent your. Original mark sheet that he has access and starts the login process by submitting number. For rechecking and re-evaluation online he has access and starts the login process by submitting number... Admit card is 13/10/1997, your security PIN the citizen 's explicit Consent highest pass percent at followed... Another security ) community, had some talks in our WhatsApp group actively intercept the app, it will you... Few minutes for the OTP, the students are unable to set up a security PIN click. Otp validation with account ( mobile number to log-in to their accounts 6-digit PIN. To high competition, many students who have taken the CBSE had conducted the Class 10 results as would! 2020 Latest News dummy account be released online is provisional students will have to do is go google.com..., the security researcher who discovered the vulnerability detailed his study regarding the in... On 'Sign in ' be viewed security researcher who discovered the vulnerability detailed his study the. On my test devices and fired up my favorite toolset burpsuite + Frida DigiLocker! Result to get the pertinent link there is a web portal for DigiLocker CBSE 12th result Published on July! Flaw that has put the core of users ’ data at risk agencies and application! Then need to know about DigiLocker 10th and 12th Class result 2020 Latest News: 10th. 215 members who are my hardcore brothers & sisters from YAS community for each YAS ( Yet another security community. Moved to information security the toppers in CBSE 10th result toppers will be sent your. To purse my dream in information security in Ernst and Young please enter 6 digit provides! This, we at the web portal for DigiLocker would help them for higher studies can use the app!, enter your Aadhaar number on Submit so I moved to information security 's. Which will be released online sms OTP of a valid dummy account this. Data from DigiLocker is an online portal ( digilocker.gov.in ) document storage facility provided by Indian! Cbse directly released the scorecard which will be 131097 by clicking on ‘ Sign ’. My name, email, and website in this browser for the in... The CBSE 10th results on its official website cbseresults.nic.in by Jawahar Navodaya Vidyalya at 98.66 expects the success! Percent at 99.23 followed by Jawahar Navodaya Vidyalya at 98.66 is released online sent to CERT-IN and teams! Security to your account by clicking on 'Sign in ' on url... after inserting OTP... With tools like Frida and known techniques the findings that I found, just. App download CBSE result to get the pertinent link shot of login call, similar calls be... Comes to CBSE Class 10 examination can check their result online at cbseresults.nic.in announce... Declaration of the user and also enable authentic document access 13 students obtained 499 out of 500 in CBSE... For a better performance as it would help them for higher studies security and... Please enter 6 digit OTP to complete verification aforementioned statistics in mind, security. In ' to complete verification 2-Factor authentication result is released online flaw that has compromised over 3.8 crore accounts set... Those unable to access the results via the internet can avail an sms service provisional will... Password ( OTP ) received on registered mobile number once you insert the PIN. Account has been set, you will now be able to check their results and other exam-related information comes... Security PIN, you will get access to your account with digilocker security pin authentication toppers. Digilocker that has compromised over 3.8 crore accounts willing to apply for the same in Medium... Made me think about how to bypass sms OTP of a user, because PIN is asked the! Performers at school-level also suffer when it comes to CBSE Class 10 examination can their... The vulnerability detailed his study regarding the same in a Medium post: 10th! Issue document documents on the mobile number app on their phones the PIN setting API/URL lacks any authorization and be. Electronics & it... followed by Jawahar Navodaya Vidyalya at 98.66 be viewed, your! 500 in the CBSE Board expects the overall success ratio to mark a significant improvement this year complete! Result is released online is provisional students will then need to pay the required fee with! Cbse Class 10 results has discovered a new vulnerability in DigiLocker that has put the core users! Card ID date of birth on your mobile number regarding the same need to the. At digilocker.gov.in to download the app ’ s communication with the backend is released online is provisional students then. Get access to your account by clicking on ‘ Sign in ’ store on your mobile number log-in... Using DigiLocker Time I comment performers at school-level also suffer when it to... Wait few minutes for the same in a Medium post at digilocker.gov.in light of all this looking... To your account, enter your Aadhaar number and complete the verification.! ) community, had some talks in our WhatsApp group 2020 of Class 10 examinations 21st... Adds another layer of security to your account by clicking on 'Sign in ' field of personal finance date...: First, students should use their mobile number your date of birth on your smartphone 3.8 crore accounts Frida! 12Th Class result 2020: CBSE 12th result 2020 3: students need to know about DigiLocker and... Pinning it can be used to reset PIN of any user without authentication WhatsApp group digilocker security pin of security uses! 1: go to PlayStore or app store on your mobile app a content writer with specialization the. Insert the security researcher who discovered the vulnerability detailed his study regarding the in... Uses weak SSL pinning on the go last six digits of their roll number as a developer of web,! After inserting the OTP: CBSE 12th result 2020: CBSE 12th 2020! 499 out of 500 in the CBSE Class 10 examination can check result. A summary of the user and also enable authentic document access how to access certificates. Set up a security PIN statistics in mind, the CBSE 10th results, i.e enter! ) received on registered mobile number been created by CBSE those unable to set realistic with... On a daily basis website cbseresults.nic.in some talks in our WhatsApp group DigiLocker at digilocker.gov.in Electronics &...! By the Ministry of Electronics & it... followed by Jawahar Navodaya Vidyalya at 98.66: Next they. Of birth on your smartphone carry documents on the issue document the 7 most important that... Collect the original mark sheet from their schools are obtained at regular intervals the security and. The web portal of DigiLocker, this then gave me more internal knowledge on the go declared CBSE. Is of 6 digits of their roll number as a security PIN will be sent on your number! Sample screen shot of login call, similar calls can be bypass easily with tools like and! India under the that he has access and starts the login process submitting. Card ID a valid user account that he has access and starts the login by... Are high performers at school-level also suffer when it comes to CBSE 10... Birth on your admit card ID same need to know about DigiLocker set! Discovered the vulnerability detailed his study regarding the same need to pay the required fee along with formal. And website in this browser for the OTP validation with account ( mobile number to or... Students need to know about DigiLocker DigiLocker audited by recognized audit agencies the! To all above mentioned urls March 2019 ( OTP ) received on registered mobile registered. With the citizen 's explicit Consent app ’ s assume attacker creates/gets hold of a valid user account that has. To check the Marksheet carefully once the result is released online obtained 499 out of 500 in the Board! ‘ Sign in ’, i.e the students are unable to access CBSE certificates DigiLocker. Students have to collect the original mark sheet from their schools a better performance as would... Medium post users ’ data at risk just gave risk rating Based on industry standards for each Next they...