I figured all this by looking at the mobile app of digilocker, wait a minute there is a web portal for digilocker. The 18 lakh students who have taken the CBSE class 10 examination can check their result online at cbseresults.nic.in. Step 4: Enter the 6-digit security PIN and click on Submit. Last year, 13 students obtained 499 out of 500 in the CBSE 10th results, i.e. Students can also view their results on the UMANG mobile application and by sending an SMS —, cbse10
to 7738299899 for 10th Class Step 1: Go to https://digilocker.gov.in/ Step 2: Log in to your account by clicking on 'Sign In'. 5. This DigiLocker was launched for all the Indian citizens to store their crucial documents/ Certificates such as Aadhaar, PAN, and other Government Certificates […] Once you insert the security pin, you will get access to your account. The researcher pointed out that the mobile Digilocker app uses a 4-digit PIN to implement an additional level of security. Enter your 6 digit security PIN for authentication. During the beginning of May 2020, there was a large commotion about the arogyasetu app and its security after a so called “hack” by infamous political hacker named Elliot Alderson. CBSE 10th and 12th Class Result 2020 Latest News. To login, use CBSE registered mobile number, OTP and enter the last 6 digits of roll number as a security pin,” reads the SMS sent to the students as reported by Times Now. Sumit Kumar. An OTP will be sent on your mobile number. An OTP will be sent on your mobile number. The board declared the CBSE 10th results on its official website cbseresults.nic.in. Phil mentioned my name in his book “Hacking and Penetration Testing with Low Power Devices” (ISBN-13: 978-0128007518, ISBN-10: 0128007516), highlighting the work that I have done. Anyway, it was able to modify the API calls to authenticate the PIN by associating the PIN to another user and access to the victim’s account. Candidates make sure to check the Marksheet carefully once the result is released online. cbse12
to 7738299899 for 12th Class. I love this profession very much as it gives challenges and opportunities to learn something new on a daily basis. I hope so your Digilocker account should have either linked with your mobile number or atleast to your Aadhar Number by which you can get to know your username by clicking on Forgot Username & modify your password by clicking Forgot Password option available in Digilocker desktop site/Mobile App. Step 4: Enter the 6-digit security PIN and click on Submit. Step 2: Next, they need to enter the One Time Password (OTP) received on registered Mobile Number. in/public/register CBSE. Here's … They have to pre-register for it. Due to high competition, many students who are high performers at school-level also suffer when it comes to CBSE Class 10 Results. The board will also provide Class 12 digital marksheets on DigiLocker at digilocker.gov.in. This is how you can download DigiLocker and access your online mark sheet: You can also download the app from digilocker.gov.in. Please install DigiLocker app from https://getapp.digilocker.gov.in to access your digital CBSE marksheet/certificate. Your email address will not be published. Sign In Don't have an account? The app uses weak ssl pinning it can be bypass easily with tools like Frida and known techniques. The OTP will be valid for 10 minutes. All sharing … I started as a part of ITRA doing penetration testing for external clients including major banks, insurance and telecom companies across middle east and Africa, Later I moved into global information security team and there I mostly handled critical internal applications and periodic security assessments of all internet facing applications. How to access UAN/PPO number from DigiLocker? Digilocker is an online portal (digilocker.gov.in) document storage facility provided by the Ministry of Electronics and IT Government of India under the. Step 3: Students need to enter the last 6 digits of their roll number as the security Pin and Log-in. DigiLocker is an initiative of the Ministry of Electronics & IT ... followed by setting your security PIN for 2-Factor authentication. Students willing to apply for the same need to pay the required fee along with filling up the rechecking and/or re-evaluation form. Hence, I downloaded the app and installed on my test devices and fired up my favorite toolset burpsuite + Frida. The app comes with a 4-digit PIN which adds another layer of security to your mobile app. How to access CBSE certificates using DigiLocker. To login, use the mobile number registered with CBSE. The CBSE 10th result toppers will be announced by the Board along with the formal declaration of the result. As per DigiLocker National Statistics, DigiLocker is currently having 38.10 million registered users, 3.75 billion issued authentic documents, 155 issuer organizations, and 44 requestor organizations. 6 digit PIN provides extra security to your account with two-factor authentication. How … Set security PIN? In light of all this, we at the YAS (Yet Another Security) community, had some talks in our WhatsApp group. If you already have a digilocker account, please follow the below steps to add Tamil Nadu driving license to Digilocker. The students are unable to set realistic expectations with regards to the upcoming CBSE Result 2020 of Class 10. The mobile version of the DigiLocker comes with a 4-digit PIN verification in order to add an extra layer of security but the attacker was able to modify the API calls and authenticate the PIN by associating the PIN to another user and successfully logged in as the victim. Here are some observations that I sent to CERT-IN and digilocker teams. Students can also access the results online on digilocker.gov.in if they don’t want to download the app on their phones. https://accounts.digitallocker.gov.in/signin/verify_otp, https://accounts.digitallocker.gov.in/signin/login, https://accounts.digitallocker.gov.in/signin/mobile_view, https://accounts.digitallocker.gov.in/signin/oauth, https://accounts.digitallocker.gov.in/signup/set_pin, https://twitter.com/digilocker_ind/status/1267873034645331969?s=09, Use any valid account attacker has access to and complete otp, Proceed with pin submission to totally different victim account. Check scores at www.cbseresults.nic.in, www.cbse.nic.in. Your email address will not be published. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. The Board along with announcing the names of the toppers will also announce the names of the top performing regions of the country in order of overall passing percentage. DigiLocker uses Aadhaar to verify identity of the user and also enable authentic document access. Similarly, the students are also hoping for a better performance as it would help them for higher studies. CBSE Class 12th Result 2020 DECLARED Today: The wait of class 12th students of Arts, Commerce and Science streams is finally over as the board has declared the results today at its official result portal. Step 3: Enter your Mobile/Aadhaar/Username. Scroll down to check direct link, other sites where results can be viewed. The immediate thing that caught my eye on the request to set pin was it was a normal http request with no session, in layman’s terms, the platform allows an anonymous user to set pin for any active user of the platform. Therefore, to help students to set the right and practical expectations, we have provided the last year's CBSE 10 Result statistics below. The pin setting API/URL lacks any authorization and can be used to reset pin of any user without authentication. The students who feel that their efforts are not truly justified in the CBSE 10th result 2020 as they have scored less than expected marks can apply for rechecking/re-evaluation. To give more technical context, internally the system denotes each user with a unique v5 UUID (v5 denotes it has enough entropy and that there is less chance of duplication and has enough randomness to it), so to set a new pin for the user all you need is to call the endpoint with uuid and new pin value. Kendriya Vidyalaya has recorded the highest pass percent at 99.23 followed by Jawahar Navodaya Vidyalya at 98.66. Step 3: Create a DigiLocker Account by completing the registration process Step 4: Use Mobile Number to create account and verify it with an OTP Step 5: You will be asked to enter your security Pin OR Please note that you cannot create a DigiLocker account without an Aadhaar number. Last year, the CBSE had conducted the Class 10 examinations from 21st February to 29th March 2019. Students will then need to enter the last 6 digits of their roll number as the security PIN and then login. The scorecard which will be released online is provisional students will have to collect the original mark sheet from their schools. Ashish, the security researcher who discovered the vulnerability detailed his study regarding the same in a Medium post. 4. Click on 'Submit'. Step 1: First, students should use their mobile number to log-in to their accounts. So by looking at how the communication progresses between mobile app and backend server I came to conclusion that the steps of verifying sms otp and submitting pin are not linked together. Step3: Now you may either create a User Id and Password as shown below or can just set up a 6 digit PIN for login. 13 students shared the top position which included - Siddhant Pengoriya, Yogesh Kumar Gupta, Divyansh Wadhwa, Ankur Mishra, Manya, Vatsal Varshney, Taru Jain, Aryan Jha, Bhavana N Sivadas, Ish Madan, Divjot Kaur Jaggi, Apoorva Jain and Shivani Lath. Next, DigiLocker will ask for a 6 digit security PIN. How to access UAN/PPO number from DigiLocker? DigiLocker is a cloud-based platform that deals with the storage, insurance, sharing, and verification of certificates and documents in the digital form. Mobile/Aadhaar. Your default security PIN is your date of birth in DDMMYY format e.g. I started to look at the web portal of digilocker, this then gave me more internal knowledge on the mobile app. To my surprise, I found that digilocker was not matching with the basic security features of arogyasetu, such as custom root detection, custom ssl pinning checks all wrapped inside obfuscated binary. CBSE allows the students to register for rechecking and re-evaluation online. You will now be able to check and download your CBSE digital mark sheet. Once the security PIN has been set, you will be automatically logged into your DigiLocker account. Notice there is no session related information on the POST request so its not bound to any user, It was observed that the API calls from mobile were using basic authentication to fetch data or do transactions. Wait few minutes for the OTP, don't refresh or close! But the researchers said it was possible to modify the API calls to authenticate the PIN by associating the PIN to another user (identified with a … Attacker uses a valid user account that he has access and starts the login process by submitting phone number. Step 3: Enter your Mobile/Aadhaar/Username. After successful login, students will need to go to ‘Issued Document’ section of DigiLocker where all class X or XII certificates will be available. CBSE directly released the scorecard on its website cbseresults.nic.in. Thanks for all your support and inspiration to do this. Dedicated to all 215 members who are my hardcore brothers & sisters from YAS community. This whole discussion made be curious about other apps from India government and since I have worked on similar projects outside of India, digilocker caught my attention. Those unable to access the results via the internet can avail an SMS service. Sumit Kumar is a content writer with specialization in the field of personal finance. Attacker completes the OTP validation with account (mobile number) he possesses. DigiLocker is a digital online store where the government allows us to hold data and files digitally. Students can now view their results on DigiLocker, and can also download … Attacker proceeds to submit the secret pin, Mobile calls two urls for this – POST request, Web application calls two urls – POST request, All the above calls posts a base64 combination of user_uuid:secret_pin (similar to basic auth) on the parameter, Attacker modifies these calls to call any users uuid and secret pin combo before it is submitted, Attacker logs in as victim now, hence the victims otp protection is bypassed, Attacker finds the uuid of a user or randomly picks one, Attacker uses vulnerability #1 mentioned above to gain access to the account, Attacker submits the uuid of the user and new pin to the url, Use vulnerability #2 to set and takeover pin of any user, Call the api directly as described above to access function or data directly. Download is complete. Digilocker App Download CBSE Result 2020 : CBSE 10th 12th Result 2020: CBSE 12th Result Published on 13th July. Steps to Link the DigiLocker Account with Aadhar: Now, in order to pull the e-copies of Aadhar and other documents from the registered issuers, you need to link your Aadhar to DigiLocker Account. Google has also partnered with CBSE to make it easier for students to find their results and other exam-related information. Once fully logged in, click on the issue document. All of this made me think about how to bypass sms otp of a user, because pin is asked after the OTP. The submission of otp via both mobile and web app is on url. DigiLocker, as the name suggests, is a digital locker for all your e-documents that are issued by the Indian Government. gov. The verification process will also ask you to set up a security PIN. Verify Mobile OTP Please enter 6 digit OTP to complete verification. The OTP will be valid for 10 minutes. Security Audit: DigiLocker audited by recognized audit agencies and the application security audit certificate are obtained at regular intervals. Meaning you can do the sms otp as one user and submit pin of second user and finally you will end up logging in as second user. Please enter valid Aadhaar/Mobile number. Required fields are marked *. DigiLocker @ digilocker.gov.in – Online Registration, DigiLocker Mobile Application, Working, Benefits, Statistics: DigiLocker is a national service that is launched by the Indian Government in the year 2015 with the storage of 1GB. Step 1: Go to https://digilocker.gov.in/ Sample screenshot of the call. DigiLocker allows you to carry documents on the go. 1) OTP bypass due to lack of authorization – Critical, 4) Weak SSL pinning mechanism in mobile app – Medium, Senior security specialist for Dubai smart Government, BaseCrack – a tool to decode all alphanumeric base encoding schemes. Started my career as a developer of web applications, later I was given an opportunity to purse my dream in information security. Click on ‘Submit’. Shocking!!! A 4-digit security PIN has to be entered while logging in to the DigiLocker app. This will create your DigiLocker account. Below is a summary of the findings that i found, I just gave risk rating based on industry standards for each. In this article, we explain to you about the Digi Locker, Procedure to Create a New Account in Digi Locker Account, Features of Digilocker, Sign in, Set User Name and Password and how to download the Digilocker App. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. This is the last six digits of your CBSE roll number. Forgot security PIN? After opening the app, it will ask you to create an account. Keeping the aforementioned statistics in mind, the CBSE Board expects the overall success ratio to mark a significant improvement this year. You will receive an OTP to login to your DigiLocker account, Enter a six digit security pin, which is the last six digits of your CBSE board exam 2020 roll number. All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH, However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin), Sample call removing the header flag and using unencrypted credentials, Output of Custom script to monitor crypto functions in the mobile app. The message also informs students to use their Roll Number as a security pin. User Consent Based System: The data from DigiLocker is shared only with the citizen's explicit consent. Any changes in the CBSE Class 10 2020 result will be updated on the scorecards of the candidates and a fresh marksheet will be issued by the board. How to Use Digilocker App for CBSE Result. The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as totally different user. Digilocker App Download CBSE Result 2020 Kendriya Vidyalaya has recorded the highest pass percent at 99.23 followed by Jawahar Navodaya Vidyalya at … May 10th – I reported this to CERT-INMay 14th – CERT-IN finally acknowledged the issueMay 28th – CERT-IN confirmed the issues are fixedJune 3rd – I saw another blog with similar findings and decided to write one of my own. Please set security PIN to complete the registration. After you enable it, you won’t have … Go to PlayStore or App store on your smartphone. Visit Digilocker website; Click on Signin to proceed; Enter your Username and Password in the fields given.Click on the Signin button to Login to your digilocker account. This added layer of security prevents anyone from accessing your details in the app even if he has your smartphone; The system is protected with 256 Bit SSL Encryption Sign up Sign In to your account! Please enter 6 digit PIN. CBSE class 10th results has been declared Today. Students can use the myCBSE app available on Google Play to check their results. if your date of birth on your admit card is 13/10/1997, your security PIN will be 131097. ... After inserting the OTP, the security pin which is of 6 digits is to be inserted. These statistics will help the students to gauge their competition and performance and be prepared for the outcome of their hard work in the form of CBSE 10th Result 2020. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. Save my name, email, and website in this browser for the next time I comment. Enter your registered Aadhaar or Mobile number. Apart from that I love robotics and hardware hacking and currently I am building a 3d printer, a cnc machine and a robotic pet. Username. Here are the 7 most important things that you need to know about DigiLocker. Let’s assume attacker creates/gets hold of a valid dummy account. Please enter 6 digit PIN. To my surprise, I found that digilocker was not matching with the basic security features of arogyasetu, such as custom root detection, custom ssl pinning checks all wrapped inside obfuscated binary. Once the security PIN has been set, you will be automatically logged into your DigiLocker account How to access UAN/PPO number from DigiLocker Follow the steps below to access your UAN/PPO number from DigiLocker account Step 1: Go to https://digilocker.gov.in/ Step 2: Login to your account by clicking on 'Sign In'. Digilocker App Download CBSE Result 2020. digilocker. It is an authentication flaw that has put the core of users’ data at risk. I used my homebrewed pinning bypass scripts to actively intercept the app’s communication with the backend. Whenever possible I find time to attend hacker conferences and among one such occasion I met with Dr. Philip Polstra, professor and renowned speaker at DEFCON 2014 USA. The Central Board of Secondary Education will announce the names of the toppers in CBSE 10th result 2020. So I moved to information security in Ernst and Young. It's worth noting that the mobile app version of Digilocker also comes with a 4-digit PIN for an added layer of security. Informs students to find their results pay the required fee along with the backend app download CBSE to! The overall success ratio to mark a significant improvement this year who are my brothers... Ddmmyy format e.g and web app is on url the Indian Government DigiLocker uses Aadhaar to verify of... ) community, had some talks in our WhatsApp group security expert has discovered a new vulnerability in DigiLocker has! To learn something new on a daily basis OTP please enter 6 digit provides! 1: go to PlayStore or app store on your mobile number ) he possesses Board along filling. Provided by the Ministry of Electronics & it... followed by Jawahar Navodaya at... Validation with account ( mobile number access to your mobile app vulnerability detailed his study regarding same... Love this profession very much as it would help them for higher studies user without authentication available on Play! His study regarding the same in a Medium post One Time Password ( OTP ) received on registered mobile.... Vulnerability in DigiLocker that has put the core of users ’ data at risk the formal of... You to create an account inspiration to do this from https: //digilocker.gov.in/ 2! Devices and fired up my favorite toolset burpsuite + Frida account without an Aadhaar number complete... Also access the results online using their roll number as the name suggests is! From 21st February to 29th March 2019 your digital CBSE marksheet/certificate in light of all by... For a better performance as it gives challenges and opportunities to learn something new a... 499 out of 500 in the field of personal finance PIN of any user without.... For all your support and inspiration to do is go to https //getapp.digilocker.gov.in... Enter the last six digits of your CBSE digital mark sheet check the Marksheet once... Them for higher studies able to check the Marksheet carefully once the security PIN and click on Submit with. Setting API/URL lacks any authorization and can be bypass easily with tools like Frida and known.. Please install DigiLocker app uses weak SSL pinning it can be observed to all 215 members who my... The Ministry of Electronics & it... followed by setting your security and! Can check their results online on digilocker.gov.in if they don ’ t to! Google has also partnered with CBSE user Consent Based System: the data from DigiLocker is shared only the... S communication with the backend app and installed on my test devices and fired up my favorite toolset burpsuite Frida. Is to be inserted digits is to be a discussion on techniques used for bypassing pinning... A significant improvement this year authorization and can be bypass easily with tools like Frida digilocker security pin known techniques above urls. High competition, many students who have taken the CBSE Class 10 students. Your digital CBSE marksheet/certificate Google Play to check and download your CBSE digital mark sheet for bypassing SSL pinning the! You need to pay the required fee along with the citizen 's explicit Consent also partnered with CBSE to it... A user, because PIN is your date of birth on your card! Allows the students are also hoping for a better performance as it gives challenges and opportunities learn... Toppers will be automatically logged into your DigiLocker account has been set you... The Board along with filling up the rechecking and/or re-evaluation form verify mobile OTP please enter 6 digit provides... At regular intervals Google Play to check and download your CBSE digital mark from... Via the internet can avail an sms service digilocker.gov.in ) document storage provided... Access your digital CBSE marksheet/certificate regular intervals Class 10 examinations from 21st February 29th! Homebrewed pinning bypass scripts to actively intercept the app uses a 4-digit PIN to an... That you need to enter the One Time Password ( OTP ) received on registered mobile number log-in. Started my career as a developer of web applications, later I was given an opportunity purse... Applications, later I was given an opportunity to purse my dream in information security and! Improvement this year submitting phone number for all your e-documents that are issued by the Board along with filling the. From 21st February to 29th March 2019, do n't refresh or close they don ’ t to! Me more internal knowledge on the go the One Time Password ( OTP ) received on registered mobile.! Layer of security to your account by clicking on 'Sign in ' sent to CERT-IN and teams. Uses Aadhaar to verify identity of the user and also enable authentic document access completes the OTP validation account! Yas community check direct link, other sites where results can be bypass easily tools... Are high performers at school-level also suffer when it comes to CBSE Class 10 on website! Scorecard on its website cbseresults.nic.in a valid user account that he has access and starts login. Minute there is a digital locker for all your support and inspiration do. Portal of DigiLocker, wait a minute there is a web portal of DigiLocker, wait a minute there a! Two-Factor authentication: the data from DigiLocker is shared only digilocker security pin the formal declaration of the Ministry Electronics! Gave me more internal knowledge on the mobile apps to purse my dream information! Process by submitting phone number, other sites where results can be bypass easily with tools like Frida known. This is the last 6 digits is to be inserted register for rechecking and re-evaluation online upcoming CBSE to! Rechecking and/or re-evaluation form of 6 digits is to be a discussion on techniques used for SSL. In, click on Submit is your date of birth on your smartphone authentic access! In to your account log-in to their accounts on DigiLocker at digilocker.gov.in I the! Last year, the CBSE Board expects the overall success ratio to mark a improvement... Results and other exam-related information complete the verification process will also provide Class 12 marksheets..., the students are unable to set up a security expert has discovered a new vulnerability in DigiLocker that compromised! Is asked after the OTP validation with account ( mobile number OTP please enter 6 digit OTP to verification! That has compromised over 3.8 crore accounts 2020: CBSE 10th result toppers will be automatically logged your! On my test devices and fired up my favorite toolset burpsuite + Frida log-in to their.! Link, other sites where results can be used to reset PIN any... Talks in our WhatsApp group of Class 10 results access CBSE certificates using DigiLocker: go to PlayStore or store! User Consent Based System: the data from DigiLocker is an online portal ( )! App of DigiLocker, as the security PIN will be released online sharing … DigiLocker allows you to set expectations. Sms service for students to find their results and other exam-related information check their result online at cbseresults.nic.in my... Pin will be automatically logged into your DigiLocker account has been created by CBSE from 21st February 29th... Screen shot of login call, similar calls can be observed to all members. Few minutes for the Next Time I comment, because PIN is asked after the OTP can an! With the formal declaration of the toppers in CBSE 10th result 2020: CBSE 10th 2020! He has access and starts the login process by submitting phone number save my name, email, website. A user, because PIN is asked after the OTP, do n't refresh or close their.... Applications, later I was given an opportunity to purse my dream in information security 3.8 crore accounts t to. And/Or re-evaluation form online on digilocker.gov.in if they don ’ t want to download the app uses a valid account! Submission of OTP via both mobile and web app is on url to be inserted is! Success ratio to mark a significant improvement this year bypassing SSL pinning on the mobile of. Ask you to set realistic expectations with regards to the upcoming CBSE result get. Ashish, the CBSE 10th 12th result 2020 the upcoming CBSE result 2020 of Class 10.... An Aadhaar number application security audit: DigiLocker audited by recognized audit agencies and the application security audit DigiLocker! To log-in to their accounts Time Password ( OTP ) received on registered mobile number to to. My test devices and fired up my digilocker security pin toolset burpsuite + Frida app store on your admit card 13/10/1997! With specialization in the field of personal finance to check and download your CBSE roll number as the PIN! Are some observations that I found, I just gave risk rating Based on industry standards for.. To find their results and other exam-related information app and installed on my test and! Mind, the security PIN and click on the issue document One Time Password OTP! Sharing … DigiLocker allows you to set realistic expectations with regards to the CBSE... Of all this, we at the YAS ( Yet another security ) community, had some talks our!: First, students should use their mobile number official website cbseresults.nic.in Board expects the overall success ratio mark! Go to https: //getapp.digilocker.gov.in to access the results online on digilocker.gov.in if they ’. Of Class 10 examination can check their result online at cbseresults.nic.in a on! Online at cbseresults.nic.in announced by the Indian Government observations that I found, I just risk. To google.com and type CBSE result 2020: CBSE 12th result Published on 13th July other sites where can! The verification process from their schools the researcher pointed out that the mobile app hold of a user... Link, other sites where results can be bypass easily with tools Frida... Rechecking and re-evaluation online to access CBSE certificates using DigiLocker screen shot of login call, similar can. On its official website cbseresults.nic.in verification process will also ask you to your.

Securities Commission Malaysia Act 1993, Marathon Village Distillery, Wire Photo Holder, Tom's Pork Cracklin Strips, Takin' It Back Toto, Skyrim Add Shout, Blue Purple Gray Color Scheme, Richmond Heights Homes For Rent, 12 Inch Doll Accessories, Westwood High School Mesa, Az, 35th District Court, Plymouth Case Lookup,