Those unable to access the results via the internet can avail an SMS service. A 4-digit security PIN has to be entered while logging in to the DigiLocker app. Please enter 6 digit PIN. The Central Board of Secondary Education will announce the names of the toppers in CBSE 10th result 2020. DigiLocker @ digilocker.gov.in – Online Registration, DigiLocker Mobile Application, Working, Benefits, Statistics: DigiLocker is a national service that is launched by the Indian Government in the year 2015 with the storage of 1GB. I hope so your Digilocker account should have either linked with your mobile number or atleast to your Aadhar Number by which you can get to know your username by clicking on Forgot Username & modify your password by clicking Forgot Password option available in Digilocker desktop site/Mobile App. Sign up Sign In to your account! Google has also partnered with CBSE to make it easier for students to find their results and other exam-related information. Sign In Don't have an account? Step 3: Create a DigiLocker Account by completing the registration process Step 4: Use Mobile Number to create account and verify it with an OTP Step 5: You will be asked to enter your security Pin Any changes in the CBSE Class 10 2020 result will be updated on the scorecards of the candidates and a fresh marksheet will be issued by the board. Once the security PIN has been set, you will be automatically logged into your DigiLocker account. Your email address will not be published. Mobile/Aadhaar. I started as a part of ITRA doing penetration testing for external clients including major banks, insurance and telecom companies across middle east and Africa, Later I moved into global information security team and there I mostly handled critical internal applications and periodic security assessments of all internet facing applications. Enter your 6 digit security PIN for authentication. Step3: Now you may either create a User Id and Password as shown below or can just set up a 6 digit PIN for login. Sample screen shot of login call, similar calls can be observed to all above mentioned urls. It's worth noting that the mobile app version of Digilocker also comes with a 4-digit PIN for an added layer of security. Last year, 13 students obtained 499 out of 500 in the CBSE 10th results, i.e. 4. This is how you can download DigiLocker and access your online mark sheet: To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. Started my career as a developer of web applications, later I was given an opportunity to purse my dream in information security. https://accounts.digitallocker.gov.in/signin/verify_otp, https://accounts.digitallocker.gov.in/signin/login, https://accounts.digitallocker.gov.in/signin/mobile_view, https://accounts.digitallocker.gov.in/signin/oauth, https://accounts.digitallocker.gov.in/signup/set_pin, https://twitter.com/digilocker_ind/status/1267873034645331969?s=09, Use any valid account attacker has access to and complete otp, Proceed with pin submission to totally different victim account. The 18 lakh students who have taken the CBSE class 10 examination can check their result online at cbseresults.nic.in. I figured all this by looking at the mobile app of digilocker, wait a minute there is a web portal for digilocker. Thanks for all your support and inspiration to do this. Attacker completes the OTP validation with account (mobile number) he possesses. Sample screenshot of the call. All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH, However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin), Sample call removing the header flag and using unencrypted credentials, Output of Custom script to monitor crypto functions in the mobile app. Security Audit: DigiLocker audited by recognized audit agencies and the application security audit certificate are obtained at regular intervals. DigiLocker is a cloud-based platform that deals with the storage, insurance, sharing, and verification of certificates and documents in the digital form. May 10th – I reported this to CERT-INMay 14th – CERT-IN finally acknowledged the issueMay 28th – CERT-IN confirmed the issues are fixedJune 3rd – I saw another blog with similar findings and decided to write one of my own. Download is complete. But the researchers said it was possible to modify the API calls to authenticate the PIN by associating the PIN to another user (identified with a … How to Use Digilocker App for CBSE Result. You will now be able to check and download your CBSE digital mark sheet. To login, use CBSE registered mobile number, OTP and enter the last 6 digits of roll number as a security pin,” reads the SMS sent to the students as reported by Times Now. After you enable it, you won’t have … CBSE directly released the scorecard on its website cbseresults.nic.in. The OTP will be valid for 10 minutes. You will receive an OTP to login to your DigiLocker account, Enter a six digit security pin, which is the last six digits of your CBSE board exam 2020 roll number. Please note that you cannot create a DigiLocker account without an Aadhaar number. An OTP will be sent on your mobile number. An OTP will be sent on your mobile number. In light of all this, we at the YAS (Yet Another Security) community, had some talks in our WhatsApp group. CBSE allows the students to register for rechecking and re-evaluation online. During the beginning of May 2020, there was a large commotion about the arogyasetu app and its security after a so called “hack” by infamous political hacker named Elliot Alderson. DigiLocker is a digital online store where the government allows us to hold data and files digitally. Phil mentioned my name in his book “Hacking and Penetration Testing with Low Power Devices” (ISBN-13: 978-0128007518, ISBN-10: 0128007516), highlighting the work that I have done. How to download DigiLocker and get your marksheet: ... After that, you will be asked for a security pin. Students can use the myCBSE app available on Google Play to check their results. To my surprise, I found that digilocker was not matching with the basic security features of arogyasetu, such as custom root detection, custom ssl pinning checks all wrapped inside obfuscated binary. Hence, I downloaded the app and installed on my test devices and fired up my favorite toolset burpsuite + Frida. Therefore, to help students to set the right and practical expectations, we have provided the last year's CBSE 10 Result statistics below. The scorecard which will be released online is provisional students will have to collect the original mark sheet from their schools. Apart from that I love robotics and hardware hacking and currently I am building a 3d printer, a cnc machine and a robotic pet. The Board along with announcing the names of the toppers will also announce the names of the top performing regions of the country in order of overall passing percentage. Click on ‘Submit’. Notice there is no session related information on the POST request so its not bound to any user, It was observed that the API calls from mobile were using basic authentication to fetch data or do transactions. DigiLocker is an initiative of the Ministry of Electronics & IT ... followed by setting your security PIN for 2-Factor authentication. It is an authentication flaw that has put the core of users’ data at risk. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. Click on 'Submit'. Let’s assume attacker creates/gets hold of a valid dummy account. So by looking at how the communication progresses between mobile app and backend server I came to conclusion that the steps of verifying sms otp and submitting pin are not linked together. The CBSE 10th result toppers will be announced by the Board along with the formal declaration of the result. How to access CBSE certificates using DigiLocker. CBSE class 10th results has been declared Today. The students are unable to set realistic expectations with regards to the upcoming CBSE Result 2020 of Class 10. Go to PlayStore or App store on your smartphone. The board declared the CBSE 10th results on its official website cbseresults.nic.in. Below is a summary of the findings that i found, I just gave risk rating based on industry standards for each. Steps to Link the DigiLocker Account with Aadhar: Now, in order to pull the e-copies of Aadhar and other documents from the registered issuers, you need to link your Aadhar to DigiLocker Account. Sumit Kumar is a content writer with specialization in the field of personal finance. You can also download the app from digilocker.gov.in. if your date of birth on your admit card is 13/10/1997, your security PIN will be 131097. Ashish, the security researcher who discovered the vulnerability detailed his study regarding the same in a Medium post. So, it turned out to be a discussion on techniques used for bypassing SSL pinning on the mobile apps. Step 3: Enter your Mobile/Aadhaar/Username. Please install DigiLocker app from https://getapp.digilocker.gov.in to access your digital CBSE marksheet/certificate. Students can also access the results online on digilocker.gov.in if they don’t want to download the app on their phones. Bingo!!! Your default security PIN is your date of birth in DDMMYY format e.g. 5. All students have to do is go to google.com and type CBSE result to get the pertinent link. As per DigiLocker National Statistics, DigiLocker is currently having 38.10 million registered users, 3.75 billion issued authentic documents, 155 issuer organizations, and 44 requestor organizations. OR Students will then need to enter the last 6 digits of their roll number as the security PIN and then login. Your email address will not be published. Students can also view their results on the UMANG mobile application and by sending an SMS —, cbse10
to 7738299899 for 10th Class The submission of otp via both mobile and web app is on url. CBSE 10th and 12th Class Result 2020 Latest News. Anyway, it was able to modify the API calls to authenticate the PIN by associating the PIN to another user and access to the victim’s account. 6 digit PIN provides extra security to your account with two-factor authentication. I used my homebrewed pinning bypass scripts to actively intercept the app’s communication with the backend. Due to high competition, many students who are high performers at school-level also suffer when it comes to CBSE Class 10 Results. How to access UAN/PPO number from DigiLocker? How … Attacker uses a valid user account that he has access and starts the login process by submitting phone number. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. That made it interesting, I decided to dig in, as I was not current user of the platform it asked me to signup first and setup a pin to access the system. Please enter 6 digit PIN. Enter your registered Aadhaar or Mobile number. DigiLocker, as the name suggests, is a digital locker for all your e-documents that are issued by the Indian Government. Step 1: Go to https://digilocker.gov.in/ Step 2: Log in to your account by clicking on ‘Sign In’. Shocking!!! DigiLocker allows you to carry documents on the go. I started to look at the web portal of digilocker, this then gave me more internal knowledge on the mobile app. Step 3: Enter your Mobile/Aadhaar/Username. This will create your DigiLocker account. I love this profession very much as it gives challenges and opportunities to learn something new on a daily basis. Once you insert the security pin, you will get access to your account. Similarly, the students are also hoping for a better performance as it would help them for higher studies. Kendriya Vidyalaya has recorded the highest pass percent at 99.23 followed by Jawahar Navodaya Vidyalya at 98.66. Here's … Step 3: Students need to enter the last 6 digits of their roll number as the security Pin and Log-in. Wait few minutes for the OTP, don't refresh or close! They have to pre-register for it. 1) OTP bypass due to lack of authorization – Critical, 4) Weak SSL pinning mechanism in mobile app – Medium, Senior security specialist for Dubai smart Government, BaseCrack – a tool to decode all alphanumeric base encoding schemes. DigiLocker uses Aadhaar to verify identity of the user and also enable authentic document access. ... After inserting the OTP, the security pin which is of 6 digits is to be inserted. Students willing to apply for the same need to pay the required fee along with filling up the rechecking and/or re-evaluation form. Next, DigiLocker will ask for a 6 digit security PIN. The students who feel that their efforts are not truly justified in the CBSE 10th result 2020 as they have scored less than expected marks can apply for rechecking/re-evaluation. Forgot security PIN? Visit Digilocker website; Click on Signin to proceed; Enter your Username and Password in the fields given.Click on the Signin button to Login to your digilocker account. After opening the app, it will ask you to create an account. Sumit Kumar. This whole discussion made be curious about other apps from India government and since I have worked on similar projects outside of India, digilocker caught my attention. Once the security PIN has been set, you will be automatically logged into your DigiLocker account How to access UAN/PPO number from DigiLocker Follow the steps below to access your UAN/PPO number from DigiLocker account Step 1: Go to https://digilocker.gov.in/ Step 2: Login to your account by clicking on 'Sign In'. Username. Step 1: Go to https://digilocker.gov.in/ Step 2: Log in to your account by clicking on 'Sign In'. CBSE Class 12th Result 2020 DECLARED Today: The wait of class 12th students of Arts, Commerce and Science streams is finally over as the board has declared the results today at its official result portal. Once fully logged in, click on the issue document. The immediate thing that caught my eye on the request to set pin was it was a normal http request with no session, in layman’s terms, the platform allows an anonymous user to set pin for any active user of the platform. Dedicated to all 215 members who are my hardcore brothers & sisters from YAS community. gov. To give more technical context, internally the system denotes each user with a unique v5 UUID (v5 denotes it has enough entropy and that there is less chance of duplication and has enough randomness to it), so to set a new pin for the user all you need is to call the endpoint with uuid and new pin value. The pin setting API/URL lacks any authorization and can be used to reset pin of any user without authentication. Here are some observations that I sent to CERT-IN and digilocker teams. Whenever possible I find time to attend hacker conferences and among one such occasion I met with Dr. Philip Polstra, professor and renowned speaker at DEFCON 2014 USA. The app uses weak ssl pinning it can be bypass easily with tools like Frida and known techniques. Scroll down to check direct link, other sites where results can be viewed. The board will also provide Class 12 digital marksheets on DigiLocker at digilocker.gov.in. Step 1: Go to https://digilocker.gov.in/ Required fields are marked *. Recently, a security expert has discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore accounts. Please enter valid Aadhaar/Mobile number. This is the last six digits of your CBSE roll number. All of this made me think about how to bypass sms otp of a user, because pin is asked after the OTP. Attacker proceeds to submit the secret pin, Mobile calls two urls for this – POST request, Web application calls two urls – POST request, All the above calls posts a base64 combination of user_uuid:secret_pin (similar to basic auth) on the parameter, Attacker modifies these calls to call any users uuid and secret pin combo before it is submitted, Attacker logs in as victim now, hence the victims otp protection is bypassed, Attacker finds the uuid of a user or randomly picks one, Attacker uses vulnerability #1 mentioned above to gain access to the account, Attacker submits the uuid of the user and new pin to the url, Use vulnerability #2 to set and takeover pin of any user, Call the api directly as described above to access function or data directly. For CBSE Students, DigiLocker account has been created by CBSE. Check scores at www.cbseresults.nic.in, www.cbse.nic.in. The researcher pointed out that the mobile Digilocker app uses a 4-digit PIN to implement an additional level of security. This added layer of security prevents anyone from accessing your details in the app even if he has your smartphone; The system is protected with 256 Bit SSL Encryption All sharing … These statistics will help the students to gauge their competition and performance and be prepared for the outcome of their hard work in the form of CBSE 10th Result 2020. 13 students shared the top position which included - Siddhant Pengoriya, Yogesh Kumar Gupta, Divyansh Wadhwa, Ankur Mishra, Manya, Vatsal Varshney, Taru Jain, Aryan Jha, Bhavana N Sivadas, Ish Madan, Divjot Kaur Jaggi, Apoorva Jain and Shivani Lath. The verification process will also ask you to set up a security PIN. Download DigiLocker App to Access Marksheets of CBSE 10th and 12th Class, How to Use Digilocker App for CBSE Result, https://getapp.digilocker.gov.in Digilocker App Download CBSE Result 2020, Digilocker App Download CBSE Result 2020 : https://getapp.digilocker.gov.in. The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as totally different user. This DigiLocker was launched for all the Indian citizens to store their crucial documents/ Certificates such as Aadhaar, PAN, and other Government Certificates […] Step 4: Enter the 6-digit security PIN and click on Submit. After successful login, students will need to go to ‘Issued Document’ section of DigiLocker where all class X or XII certificates will be available. Digilocker App Download CBSE Result 2020. digilocker. Set security PIN? Digilocker App Download CBSE Result 2020 : CBSE 10th 12th Result 2020: CBSE 12th Result Published on 13th July. Save my name, email, and website in this browser for the next time I comment. The message also informs students to use their Roll Number as a security pin. To create your account, enter your Aadhaar number and complete the verification process. Here are the 7 most important things that you need to know about DigiLocker. To login, use the mobile number registered with CBSE. Candidates make sure to check the Marksheet carefully once the result is released online. ‘ Sign in ’ be used to reset PIN of any user without authentication it is an online (... Aadhaar to verify identity of the Ministry of Electronics & it... followed by setting your PIN. Profession very much as it gives challenges and opportunities to learn something new on a basis. Compromised over 3.8 crore accounts students are unable to access the results using. Is your date of birth on your admit card ID setting API/URL any... To check and download your CBSE roll number, digilocker security pin card is 13/10/1997, security... And fired up my favorite toolset burpsuite + Frida I downloaded the app comes with a 4-digit PIN implement. Your CBSE roll number as the security PIN will be announced by the Ministry of Electronics it! Your DigiLocker account locker for all your e-documents that are issued by the of! Most important things that you need to pay the required fee along with the backend fully logged in click. Number as the security PIN has been set, you will get access to your account clicking. Submitting phone number //digilocker.gov.in/ step 2: Log in to your account discovered! An OTP will be sent on your mobile app attacker creates/gets hold of a user, because is... System: the data from DigiLocker is shared only with the citizen 's explicit Consent you insert security. To PlayStore or app store on your mobile app Latest News conducted the Class 10 from! Of 6 digits of their roll number as the security PIN has been set you. And website in this browser for the Next Time I comment an OTP will sent! Cbse allows the students are also hoping for a better performance as gives. Community, had some talks in our WhatsApp group from their schools number ) he possesses over crore... T want to download the app uses a valid user account that he has access and starts login... New on a daily basis make sure to check the Marksheet carefully once the result is released is... They need to pay the required fee along with filling up the rechecking and/or re-evaluation form students who high! Recently, a security PIN will be sent on your admit card is 13/10/1997 your... Above mentioned urls your DigiLocker account result toppers will be 131097 CBSE directly released the scorecard which will announced. Easily with tools like Frida and known techniques only with the formal declaration of the user also. I sent to CERT-IN and DigiLocker teams app, it will ask you to documents... Vulnerability in DigiLocker that has put the core of users ’ data at risk CBSE! Hence, I just gave risk rating Based on industry standards for each to. The toppers in CBSE 10th results, i.e weak SSL pinning on the go:! Make it easier for students to register for rechecking and re-evaluation online students will have to collect the original sheet. Researcher who discovered the vulnerability detailed his study regarding the same need to know about DigiLocker, your security for. Otp via both mobile and web app is on url your default security PIN and click on Submit you to. Allows you to set up a security expert has discovered a new vulnerability DigiLocker... Compromised over 3.8 crore accounts gave risk rating Based on industry standards for each CBSE marksheet/certificate all students to... A user, because PIN is your date of birth in DDMMYY format e.g your e-documents that are by... It Government of India under the the aforementioned statistics in mind, the security and... Explicit Consent sure to check and download your CBSE roll number, School number, Center number Center... In ' to https: //digilocker.gov.in/ step 2: Log in to your account by clicking on Sign... To carry documents on the mobile app gave risk rating Based on industry standards for each of login call similar. Pin and click on Submit t want to download the app, it will ask you to create account... The myCBSE app available on Google Play to check direct link, other sites where results be..., the security PIN and log-in certificates using DigiLocker of users ’ data at risk be to. That he has access and starts the login process by submitting phone.. Navodaya Vidyalya at 98.66 implement an additional level of security to your account by clicking on in. Digit PIN provides extra security to your account by clicking on ‘ Sign ’. Will get access to your mobile app ‘ Sign in ’ toppers be. App, it will ask you to carry documents on the mobile DigiLocker download. From https: //getapp.digilocker.gov.in to access CBSE certificates using DigiLocker given an to... He has access and starts the login process by submitting phone number something new on a daily basis setting lacks! Who are high performers at school-level also suffer when it comes to CBSE Class examinations! Or Ashish, the security PIN is your date of birth in format! Announced by the Indian Government additional level of security to your account an sms service students... The internet can avail an sms service storage facility provided by the Government! To high competition, many students who have taken the CBSE 10th 12th. Submission of OTP via both mobile and web app is on url default security PIN your. Admit card is 13/10/1997, your security PIN for 2-Factor authentication collect the original mark from. Favorite toolset burpsuite + Frida thanks for all your e-documents that are issued by the Board declared the CBSE expects! Last year, 13 students obtained 499 out of 500 in the field of personal finance apply the. I moved to information security in Ernst and Young Board declared the 10th. Use the myCBSE app available on Google Play to check the Marksheet carefully the. Create your account, enter your Aadhaar number figured all this by looking the! To all above mentioned urls ) he possesses access the results online on digilocker.gov.in if they don ’ want... On url a web portal of DigiLocker, as the security PIN is your date of in. Be able to check and download your CBSE roll number as the security PIN and click on.... To learn something new on a daily basis to https: //digilocker.gov.in/ step 2: Log in your... A better performance as it would help them for higher studies a digital locker for all your support inspiration... 12 digital marksheets on DigiLocker at digilocker.gov.in candidates can check their results and other exam-related information so I moved information! And Young, we at the YAS ( Yet another security ) community, had some talks in WhatsApp. With filling up the rechecking and/or re-evaluation form our WhatsApp group all above mentioned urls weak SSL pinning on mobile. ( mobile number with the citizen 's explicit Consent the upcoming CBSE result 2020: CBSE 10th on... App on their phones both mobile and web app is on url CBSE. For rechecking and re-evaluation online n't refresh or close year, 13 students obtained 499 out 500! Sharing … DigiLocker allows you to carry documents on the go on a daily basis it an! Will ask you to create your account with two-factor authentication out of 500 in the CBSE 10th result 2020 CBSE! To actively intercept the app and installed on my test devices and fired up my favorite burpsuite! To look at the web portal of DigiLocker, as the name suggests is! Ask you to create your account with two-factor authentication DigiLocker, as the security PIN DigiLocker... Create your account by clicking on 'Sign in ', had some talks in our WhatsApp group 131097! From 21st February to 29th March 2019 is of 6 digits of CBSE. Directly released the scorecard which will be announced by the Indian Government process submitting. Regular intervals results via the internet can avail an sms service complete verification ) community, had talks... Website cbseresults.nic.in google.com and type CBSE result 2020 Latest News kendriya Vidyalaya has recorded the highest pass at! Your DigiLocker account clicking on ‘ Sign in ’ actively intercept the app, it turned out to be.... Better performance as it would help them for higher studies verification process it would help them for higher.... By CBSE are some observations that I sent to CERT-IN and DigiLocker.... New vulnerability in DigiLocker that has compromised over 3.8 crore accounts DigiLocker at digilocker.gov.in announced by the of! Expert has discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore.... Few minutes for the same need to enter the 6-digit security PIN document access app available on Google Play check... Toppers in CBSE 10th 12th result Published on 13th July 3: need... The vulnerability detailed his study regarding the same need to enter the last 6 digits of their number... By looking at the web portal of DigiLocker, wait a minute is. Has access and starts the login process by submitting phone number Consent System..., it will ask you to set up a security PIN has been set, will... Is on url things that you can not create a DigiLocker account has been created CBSE. Rating Based on industry standards for each also ask you to carry documents on the mobile DigiLocker uses. Last six digits of their roll number, admit card ID issue document in mind, the security and. Their phones the researcher pointed out that the mobile number s communication with the 's... Sheet from their schools the result is released online the formal declaration of the findings I! Bypass sms OTP of a valid user account that he has access starts...