How Portal Home
← Back to Home

How We Did This

The vulnerabilities found in the school's systems.

1. The Result Page

The school's result portal was publicly accessible at:

https://saintpaulskota.co.in/ShowResult.aspx?id=XXXX

XXXX is the student's unique ID. Changing this number in the URL returns any student's result — no login, no authentication, nothing. Just by guessing or enumerating IDs, anyone can pull up any student's personal academic records.

2. The Unencrypted API

The school app communicates with a completely unencrypted API. By using a man-in-the-middle (MITM) setup, we captured the traffic and found the base endpoint:

http://malaroadservices.saintpaulskota.co.in/api

No HTTPS. No encryption. Every request sent from the app is in plaintext.

3. The Profile Endpoint

The most damning part — the API has an open profile endpoint using the same student ID:

https://malaroadservices.saintpaulskota.co.in/api/profile/XXXX

That's the same XXXX from the result page. Hit this URL with any student's ID and you get:

  • Father's name and mother's name
  • Parents' phone numbers
  • Fee payment history and details
  • Full address and other personally identifiable information

No authentication. No rate limiting. Any outsider can access any student's data without them ever knowing.

4. The Risk

These aren't just theoretical vulnerabilities. Anyone with basic technical knowledge can:

  • Enumerate student IDs sequentially and scrape thousands of records
  • Access parents' phone numbers and contact information
  • View fee payment data that exposes financial habits

We don't know the full extent of what else could have been compromised — and that's exactly the problem.

# PrivacyMatters # SecureOurSchools

1. The Website Has Been Compromised

Hackers found a vulnerability in the school's web infrastructure. This usually happens through an outdated Content Management System (like WordPress), an unpatched plugin, or compromised administrator passwords.

Try typing site:saintpaulskota.co.in into your browser — you'll see what we mean.

2. SEO "Piggybacking"

Instead of taking the school's website offline or defacing the homepage (which gets noticed and fixed immediately), these hackers quietly inject thousands of hidden web pages or create rogue subdomains (like the webmaster. and m. ones visible in the search results).

  • They fill these pages with keywords for sports betting, slot machines, and modded games.
  • Because a school domain (.co.in or .edu) generally has a high "trust score" with Google, the hackers use the school's good reputation to make their spam links rank higher in Google search results.

3. Impact on the School

When regular users visit the main school site, everything probably looks perfectly normal. However, search engines index all these hidden spam pages.

If left unfixed, Google might eventually blacklist the entire saintpaulskota.co.in domain, flashing a massive red "This site may be hacked" warning to parents and students trying to visit it.

4. This Does Not Leave the API Unaffected

This isn't a separate issue. The same neglected infrastructure that allowed the domain to be hijacked for SEO spam is the exact same environment hosting the unencrypted API. A compromised domain means everything under it — including the API serving student data — is running on compromised, unmaintained servers.

The SEO piggybacking proves the school has no active security monitoring. No one is watching the servers. The same neglect that let hackers plant spam pages is why the API was left open and unencrypted.

# PrivacyMatters # SecureOurSchools