Security alert on OSSC website

Read more below

SHILPI SAMPAD Published 22.08.13, 12:00 AM

Bhubaneswar, Aug. 21: An Utkal University student today exposed security loopholes in the Odisha Staff Selection Commission (OSSC) website and urged the state government to take urgent steps to prevent hackers from accessing valuable data.

The commission has invited applications for recruitment to various technical and non-technical posts and candidates are required to apply online on www.odishassc.in, said Javed Anwar, a third-year student of MCA at the university. After the applicant submits the form online, an user ID and password are generated on the screen.

“One has to note them down for accessing the system in future and finding out the application status. The applicant cannot change the computer-generated password, which is a five-digit numerical code. However, this password policy is very weak and allows a hacker to perform brute-force attack on the OSSC’s login page and crack the code. The personal details of applicants such as marks and address can be manipulated and misutilised,” said Javed.

The 21-year-old said since the password consisted of five numbers, a hacker could easily test one lakh combinations of passwords — from 00000 to 99999 — in about 15 minutes. The attacker can use an automated program that includes a text file of 00000 to 99999 and repeatedly attempt to log on to the target system using a different number from the text file on each try.

“The brute force attack hardly takes any time these days. Further, the website lacked an account lockout policy, which disables a user account if an incorrect password is entered three or four times over a specific period. That feature exists in ATM machines, Gmail and many other websites,” he said.

Javed said the login page did not have a “capcha” either. A capcha, or Completely Automated Public Turing test to tell Computers and Humans Apart, generates and grades tests that humans can pass but computer programs cannot.

“When you enter a wrong password a few times, you are asked to identify a string of warped letters and numbers from an image. It prevents a hacker from breaking in to a website through an automated program. But the OSSC page does not have that security feature,” he said.

Secretary of the commission Anjana Prusty said she had not received any complaints about security threats. “Around 50,000 candidates have applied for 100-odd junior assistant posts and we have got stray complaints of the page getting hung or that it is not generating a password. But I am not aware of the security loopholes. I will consult my technical officers and secure the website at the earliest,” she said.

Security alert on OSSC website

Read more below

Will Donald Trump help Israel finish what it started in Iran? That is a 13,600-kg question

US deploys more fighter jets to middle east as Israel-Iran conflict escalates

Suddenly, flights seem fraught with uncertainty; but air still remains safest form of travel

Surveillance conducted on AI's Boeing 787 fleet did not reveal any major safety concerns

Nightmare foretold? Ahmedabad crash raises new questions about Dreamliners sent to India

Elon Musk’s X Corp sues New York over law requiring disclosure on hate speech, extremism

Cristiano Ronaldo's jersey plays diplomat as EU chief gifts Trump a ‘playing for peace’ souvenir

It’s finally official. Blackstone has acquired Kolkata’s South City Mall for Rs 3,250 crore

How Kolkata is a part of final Shakti album with Zakir Hussain

Airbus seals VietJet deal for up to 150 jets as hopes rise at Paris air show for end to tariffs

Neither ‘One Piece’ nor ‘Demon Slayer’, this anime is the most-viewed title on Crunchyroll

Minister defends response to Kolkata blaze, rejects water shortage, negligence charges