The vulnerabilities found in the school's systems.
The school's result portal was publicly accessible at:
XXXX is the student's unique ID. Changing this number in the URL returns any student's result — no login, no authentication, nothing. Just by guessing or enumerating IDs, anyone can pull up any student's personal academic records.
The school app communicates with a completely unencrypted API. By using a man-in-the-middle (MITM) setup, we captured the traffic and found the base endpoint:
No HTTPS. No encryption. Every request sent from the app is in plaintext.
The most damning part — the API has an open profile endpoint using the same student ID:
That's the same XXXX from the result page. Hit this URL with any student's ID and you get:
No authentication. No rate limiting. Any outsider can access any student's data without them ever knowing.
These aren't just theoretical vulnerabilities. Anyone with basic technical knowledge can:
We don't know the full extent of what else could have been compromised — and that's exactly the problem.
# PrivacyMatters # SecureOurSchools
Hackers found a vulnerability in the school's web infrastructure. This usually happens through an outdated Content Management System (like WordPress), an unpatched plugin, or compromised administrator passwords.
Try typing site:saintpaulskota.co.in into your browser — you'll see what we mean.
Instead of taking the school's website offline or defacing the homepage (which gets noticed and fixed immediately), these hackers quietly inject thousands of hidden web pages or create rogue subdomains (like the webmaster. and m. ones visible in the search results).
.co.in or .edu) generally has a high "trust score" with Google, the hackers use the school's good reputation to make their spam links rank higher in Google search results.When regular users visit the main school site, everything probably looks perfectly normal. However, search engines index all these hidden spam pages.
saintpaulskota.co.in domain, flashing a massive red "This site may be hacked" warning to parents and students trying to visit it.
This isn't a separate issue. The same neglected infrastructure that allowed the domain to be hijacked for SEO spam is the exact same environment hosting the unencrypted API. A compromised domain means everything under it — including the API serving student data — is running on compromised, unmaintained servers.
The SEO piggybacking proves the school has no active security monitoring. No one is watching the servers. The same neglect that let hackers plant spam pages is why the API was left open and unencrypted.
# PrivacyMatters # SecureOurSchools