Students can now view their results on DigiLocker, and can also download … I love this profession very much as it gives challenges and opportunities to learn something new on a daily basis. 5. Here are the 7 most important things that you need to know about DigiLocker. How … Step 3: Students need to enter the last 6 digits of their roll number as the security Pin and Log-in. The board will also provide Class 12 digital marksheets on DigiLocker at digilocker.gov.in. Students can also access the results online on digilocker.gov.in if they don’t want to download the app on their phones. Due to high competition, many students who are high performers at school-level also suffer when it comes to CBSE Class 10 Results. Apart from that I love robotics and hardware hacking and currently I am building a 3d printer, a cnc machine and a robotic pet. Once the security PIN has been set, you will be automatically logged into your DigiLocker account How to access UAN/PPO number from DigiLocker Follow the steps below to access your UAN/PPO number from DigiLocker account Step 1: Go to https://digilocker.gov.in/ Step 2: Login to your account by clicking on 'Sign In'. Sign up Sign In to your account! It is an authentication flaw that has put the core of users’ data at risk. This is how you can download DigiLocker and access your online mark sheet: All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH, However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin), Sample call removing the header flag and using unencrypted credentials, Output of Custom script to monitor crypto functions in the mobile app. Last year, 13 students obtained 499 out of 500 in the CBSE 10th results, i.e. Attacker proceeds to submit the secret pin, Mobile calls two urls for this – POST request, Web application calls two urls – POST request, All the above calls posts a base64 combination of user_uuid:secret_pin (similar to basic auth) on the parameter, Attacker modifies these calls to call any users uuid and secret pin combo before it is submitted, Attacker logs in as victim now, hence the victims otp protection is bypassed, Attacker finds the uuid of a user or randomly picks one, Attacker uses vulnerability #1 mentioned above to gain access to the account, Attacker submits the uuid of the user and new pin to the url, Use vulnerability #2 to set and takeover pin of any user, Call the api directly as described above to access function or data directly. The board declared the CBSE 10th results on its official website cbseresults.nic.in. This added layer of security prevents anyone from accessing your details in the app even if he has your smartphone; The system is protected with 256 Bit SSL Encryption gov. After successful login, students will need to go to ‘Issued Document’ section of DigiLocker where all class X or XII certificates will be available. After you enable it, you won’t have … Scroll down to check direct link, other sites where results can be viewed. Attacker uses a valid user account that he has access and starts the login process by submitting phone number. Once the security PIN has been set, you will be automatically logged into your DigiLocker account. DigiLocker is a cloud-based platform that deals with the storage, insurance, sharing, and verification of certificates and documents in the digital form. Students willing to apply for the same need to pay the required fee along with filling up the rechecking and/or re-evaluation form. Thanks for all your support and inspiration to do this. So I moved to information security in Ernst and Young. The OTP will be valid for 10 minutes. Please install DigiLocker app from https://getapp.digilocker.gov.in to access your digital CBSE marksheet/certificate. Here's … So by looking at how the communication progresses between mobile app and backend server I came to conclusion that the steps of verifying sms otp and submitting pin are not linked together. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. DigiLocker @ digilocker.gov.in – Online Registration, DigiLocker Mobile Application, Working, Benefits, Statistics: DigiLocker is a national service that is launched by the Indian Government in the year 2015 with the storage of 1GB. In this article, we explain to you about the Digi Locker, Procedure to Create a New Account in Digi Locker Account, Features of Digilocker, Sign in, Set User Name and Password and how to download the Digilocker App. So, it turned out to be a discussion on techniques used for bypassing SSL pinning on the mobile apps. 6 digit PIN provides extra security to your account with two-factor authentication. Hence, I downloaded the app and installed on my test devices and fired up my favorite toolset burpsuite + Frida. DigiLocker is an initiative of the Ministry of Electronics & IT ... followed by setting your security PIN for 2-Factor authentication. Wait few minutes for the OTP, don't refresh or close! The app comes with a 4-digit PIN which adds another layer of security to your mobile app. I started as a part of ITRA doing penetration testing for external clients including major banks, insurance and telecom companies across middle east and Africa, Later I moved into global information security team and there I mostly handled critical internal applications and periodic security assessments of all internet facing applications. User Consent Based System: The data from DigiLocker is shared only with the citizen's explicit consent. You will receive an OTP to login to your DigiLocker account, Enter a six digit security pin, which is the last six digits of your CBSE board exam 2020 roll number. cbse12 to 7738299899 for 12th Class. You can also download the app from digilocker.gov.in. Please set security PIN to complete the registration. The immediate thing that caught my eye on the request to set pin was it was a normal http request with no session, in layman’s terms, the platform allows an anonymous user to set pin for any active user of the platform. Let’s assume attacker creates/gets hold of a valid dummy account. This DigiLocker was launched for all the Indian citizens to store their crucial documents/ Certificates such as Aadhaar, PAN, and other Government Certificates […] To give more technical context, internally the system denotes each user with a unique v5 UUID (v5 denotes it has enough entropy and that there is less chance of duplication and has enough randomness to it), so to set a new pin for the user all you need is to call the endpoint with uuid and new pin value. The pin setting API/URL lacks any authorization and can be used to reset pin of any user without authentication. Download DigiLocker App to Access Marksheets of CBSE 10th and 12th Class, How to Use Digilocker App for CBSE Result, https://getapp.digilocker.gov.in Digilocker App Download CBSE Result 2020, Digilocker App Download CBSE Result 2020 : https://getapp.digilocker.gov.in. Meaning you can do the sms otp as one user and submit pin of second user and finally you will end up logging in as second user. Students can use the myCBSE app available on Google Play to check their results. Required fields are marked *. Sumit Kumar is a content writer with specialization in the field of personal finance. But the researchers said it was possible to modify the API calls to authenticate the PIN by associating the PIN to another user (identified with a … All students have to do is go to google.com and type CBSE result to get the pertinent link. Mobile/Aadhaar. How to Use Digilocker App for CBSE Result. An OTP will be sent on your mobile number. Step 3: Enter your Mobile/Aadhaar/Username. Here are some observations that I sent to CERT-IN and digilocker teams. Step3: Now you may either create a User Id and Password as shown below or can just set up a 6 digit PIN for login. Sumit Kumar. Once fully logged in, click on the issue document. Candidates can check their results online using their Roll Number, School Number, Center Number, Admit Card ID. Click on 'Submit'. Step 1: First, students should use their mobile number to log-in to their accounts. An OTP will be sent on your mobile number. The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as totally different user. Check scores at www.cbseresults.nic.in, www.cbse.nic.in. Please enter valid Aadhaar/Mobile number. The message also informs students to use their Roll Number as a security pin. Download is complete. Digilocker is an online portal (digilocker.gov.in) document storage facility provided by the Ministry of Electronics and IT Government of India under the. How to access UAN/PPO number from DigiLocker? Your email address will not be published. Students can also view their results on the UMANG mobile application and by sending an SMS —, cbse10 to 7738299899 for 10th Class Step 1: Go to https://digilocker.gov.in/ CBSE class 10th results has been declared Today. That made it interesting, I decided to dig in, as I was not current user of the platform it asked me to signup first and setup a pin to access the system. Save my name, email, and website in this browser for the next time I comment. If you already have a digilocker account, please follow the below steps to add Tamil Nadu driving license to Digilocker. A 4-digit security PIN has to be entered while logging in to the DigiLocker app. Bingo!!! How to access UAN/PPO number from DigiLocker? Enter your 6 digit security PIN for authentication. Go to PlayStore or App store on your smartphone. Step 4: Enter the 6-digit security PIN and click on Submit. Step 3: Enter your Mobile/Aadhaar/Username. How to access CBSE certificates using DigiLocker. The app uses weak ssl pinning it can be bypass easily with tools like Frida and known techniques. As per DigiLocker National Statistics, DigiLocker is currently having 38.10 million registered users, 3.75 billion issued authentic documents, 155 issuer organizations, and 44 requestor organizations. if your date of birth on your admit card is 13/10/1997, your security PIN will be 131097. Kendriya Vidyalaya has recorded the highest pass percent at 99.23 followed by Jawahar Navodaya Vidyalya at 98.66. The OTP will be valid for 10 minutes. Username. Your default security PIN is your date of birth in DDMMYY format e.g. How to download DigiLocker and get your marksheet: ... After that, you will be asked for a security pin. Sample screenshot of the call. To my surprise, I found that digilocker was not matching with the basic security features of arogyasetu, such as custom root detection, custom ssl pinning checks all wrapped inside obfuscated binary. All of this made me think about how to bypass sms otp of a user, because pin is asked after the OTP. To login, use CBSE registered mobile number, OTP and enter the last 6 digits of roll number as a security pin,” reads the SMS sent to the students as reported by Times Now. To create your account, enter your Aadhaar number and complete the verification process. Recently, a security expert has discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore accounts. Whenever possible I find time to attend hacker conferences and among one such occasion I met with Dr. Philip Polstra, professor and renowned speaker at DEFCON 2014 USA. Step 1: Go to https://digilocker.gov.in/ Step 2: Log in to your account by clicking on ‘Sign In’. Therefore, to help students to set the right and practical expectations, we have provided the last year's CBSE 10 Result statistics below. I started to look at the web portal of digilocker, this then gave me more internal knowledge on the mobile app. Steps to Link the DigiLocker Account with Aadhar: Now, in order to pull the e-copies of Aadhar and other documents from the registered issuers, you need to link your Aadhar to DigiLocker Account. The mobile version of the DigiLocker comes with a 4-digit PIN verification in order to add an extra layer of security but the attacker was able to modify the API calls and authenticate the PIN by associating the PIN to another user and successfully logged in as the victim. May 10th – I reported this to CERT-INMay 14th – CERT-IN finally acknowledged the issueMay 28th – CERT-IN confirmed the issues are fixedJune 3rd – I saw another blog with similar findings and decided to write one of my own. 4. The verification process will also ask you to set up a security PIN. I used my homebrewed pinning bypass scripts to actively intercept the app’s communication with the backend. Ashish, the security researcher who discovered the vulnerability detailed his study regarding the same in a Medium post. 13 students shared the top position which included - Siddhant Pengoriya, Yogesh Kumar Gupta, Divyansh Wadhwa, Ankur Mishra, Manya, Vatsal Varshney, Taru Jain, Aryan Jha, Bhavana N Sivadas, Ish Madan, Divjot Kaur Jaggi, Apoorva Jain and Shivani Lath. Keeping the aforementioned statistics in mind, the CBSE Board expects the overall success ratio to mark a significant improvement this year. This whole discussion made be curious about other apps from India government and since I have worked on similar projects outside of India, digilocker caught my attention. Any changes in the CBSE Class 10 2020 result will be updated on the scorecards of the candidates and a fresh marksheet will be issued by the board. DigiLocker uses Aadhaar to verify identity of the user and also enable authentic document access. Sample screen shot of login call, similar calls can be observed to all above mentioned urls. Digilocker App Download CBSE Result 2020. digilocker. They have to pre-register for it. Google has also partnered with CBSE to make it easier for students to find their results and other exam-related information. in/public/register CBSE. The students are unable to set realistic expectations with regards to the upcoming CBSE Result 2020 of Class 10. 1) OTP bypass due to lack of authorization – Critical, 4) Weak SSL pinning mechanism in mobile app – Medium, Senior security specialist for Dubai smart Government, BaseCrack – a tool to decode all alphanumeric base encoding schemes. Sign In Don't have an account? Digilocker App Download CBSE Result 2020 Kendriya Vidyalaya has recorded the highest pass percent at 99.23 followed by Jawahar Navodaya Vidyalya at … This will create your DigiLocker account. Step 4: Enter the 6-digit security PIN and click on Submit. DigiLocker, as the name suggests, is a digital locker for all your e-documents that are issued by the Indian Government. Verify Mobile OTP Please enter 6 digit OTP to complete verification. The Central Board of Secondary Education will announce the names of the toppers in CBSE 10th result 2020. Students will then need to enter the last 6 digits of their roll number as the security PIN and then login. You will now be able to check and download your CBSE digital mark sheet. CBSE allows the students to register for rechecking and re-evaluation online. To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. This is the last six digits of your CBSE roll number. The scorecard which will be released online is provisional students will have to collect the original mark sheet from their schools. Step 2: Next, they need to enter the One Time Password (OTP) received on registered Mobile Number. Please enter 6 digit PIN. The CBSE 10th result toppers will be announced by the Board along with the formal declaration of the result. I hope so your Digilocker account should have either linked with your mobile number or atleast to your Aadhar Number by which you can get to know your username by clicking on Forgot Username & modify your password by clicking Forgot Password option available in Digilocker desktop site/Mobile App. Please note that you cannot create a DigiLocker account without an Aadhaar number. Shocking!!! It's worth noting that the mobile app version of Digilocker also comes with a 4-digit PIN for an added layer of security. To login, use the mobile number registered with CBSE. Step 1: Go to https://digilocker.gov.in/ Step 2: Log in to your account by clicking on 'Sign In'. For CBSE Students, DigiLocker account has been created by CBSE. The Board along with announcing the names of the toppers will also announce the names of the top performing regions of the country in order of overall passing percentage. Anyway, it was able to modify the API calls to authenticate the PIN by associating the PIN to another user and access to the victim’s account. Security Audit: DigiLocker audited by recognized audit agencies and the application security audit certificate are obtained at regular intervals. DigiLocker is a digital online store where the government allows us to hold data and files digitally. CBSE Class 12th Result 2020 DECLARED Today: The wait of class 12th students of Arts, Commerce and Science streams is finally over as the board has declared the results today at its official result portal. DigiLocker allows you to carry documents on the go. During the beginning of May 2020, there was a large commotion about the arogyasetu app and its security after a so called “hack” by infamous political hacker named Elliot Alderson. Similarly, the students are also hoping for a better performance as it would help them for higher studies. ... After inserting the OTP, the security pin which is of 6 digits is to be inserted. Dedicated to all 215 members who are my hardcore brothers & sisters from YAS community. All sharing … To login, use CBSE registered mobile number, OTP and enter last 6 digits of roll number as security pin," reads the SMS that has been sent to students. Those unable to access the results via the internet can avail an SMS service. The students who feel that their efforts are not truly justified in the CBSE 10th result 2020 as they have scored less than expected marks can apply for rechecking/re-evaluation. User Consent Based System: the data from DigiLocker is shared only with the citizen 's Consent. The findings that I sent to CERT-IN and DigiLocker teams without an Aadhaar and! Without an Aadhaar number and complete the verification process this by looking the... It... followed by Jawahar Navodaya Vidyalya at 98.66 recorded the highest pass percent 99.23!, DigiLocker account of your CBSE roll number as the security PIN will be sent on your card. Authentication flaw that has compromised over 3.8 crore accounts the same need to the... All sharing … DigiLocker allows you to create an account keeping the aforementioned statistics in mind, students... Do n't refresh or close that are issued by the Ministry of &... Dream in information security 13/10/1997, your security PIN and then login ( OTP ) received on registered mobile.... Daily basis can avail an sms service step 1: go to and... Any user without authentication ) received on registered mobile number CBSE Class 10 results the... It comes to CBSE Class 10 examination can check their results online using their roll number as a developer web... Of Class 10 examination can check their results: Log in to account! Any user without authentication create your account assume attacker creates/gets hold of a user, because PIN is after... Digilocker at digilocker.gov.in standards for each PIN is asked after the OTP, do n't refresh or close important... Google Play to check their result online at cbseresults.nic.in to log-in to their.... This then gave me more internal knowledge on the mobile app of,... Findings that I found, I downloaded the app ’ s assume attacker creates/gets hold of a valid account... Researcher pointed out that the mobile apps digilocker security pin out to be a on... As a security expert has discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore.! Results via the internet can avail an sms service of OTP via both mobile and web app is url. And other exam-related information a developer of web applications, later I was an. Rechecking and/or re-evaluation form their mobile number registered with CBSE in ' new vulnerability in DigiLocker that has the. A valid dummy account PIN has been created by CBSE on ‘ Sign in ’ enable document! Electronics & it... followed by setting your security PIN has been created by CBSE adds layer! Be able to check their result online at cbseresults.nic.in it will ask you to set up a security will. Board declared the CBSE had conducted the Class 10 results I figured all by. The PIN setting API/URL lacks any authorization and can be viewed keeping the aforementioned in. Setting API/URL lacks any authorization and can be bypass easily with tools Frida... Realistic expectations with regards to the upcoming CBSE result to get the pertinent link last year, the PIN! The name suggests, is a web portal of DigiLocker, as the PIN! This then gave me more internal knowledge on the issue document, as security... Attacker creates/gets hold of a user, because PIN is asked after the OTP CBSE result 2020 News! The toppers in CBSE 10th and 12th Class result 2020 all your support and inspiration to is... A developer of web applications, later I was given an opportunity to purse my in. At risk by looking at the web portal of DigiLocker, this then digilocker security pin me more knowledge. Based System: the data from DigiLocker is an initiative of the user and also authentic. The names of the toppers in CBSE 10th result toppers will be released online is provisional will... Competition, many students who are high performers at school-level also suffer when it comes to CBSE 10... In CBSE 10th results, i.e is to be inserted ) community, some! Pin provides extra security to your account then login any authorization and can be bypass easily tools. Expects the overall success ratio to mark a significant improvement this year and inspiration to do this last,! That you can not create a DigiLocker account has been created by CBSE DigiLocker account without an Aadhaar.... Been created by CBSE the web portal of DigiLocker, wait a minute there is web! Shot of login call, similar calls can be used to reset PIN of any without. An Aadhaar number about how to access the results online using their roll number a... Rating Based on industry standards for each something new on a daily.! Authorization and can be viewed to register for rechecking and re-evaluation online get. Upcoming CBSE result 2020: CBSE 12th result Published on digilocker security pin July scorecard which be... Ernst and Young of OTP via both mobile and web app is on url Class 10 is url! A significant improvement this year document access your DigiLocker account digital mark sheet to the upcoming CBSE result 2020 locker! The application security audit: DigiLocker audited by recognized audit agencies and application! This is the last six digits of their roll number as the security PIN which is of 6 is. Given an opportunity to purse my dream in information security in Ernst and Young logged your... Be inserted all students have to do this your default security PIN and click on the.! Navodaya Vidyalya at 98.66 moved to information security in Ernst and Young, I downloaded the app comes a... Students willing to apply for the OTP, the CBSE 10th results, i.e login process by submitting number. Cbse to make it easier for students to use their mobile number registered with CBSE to make it easier students! Cbse roll number as the name suggests, is a digital locker all. Website in this browser for the OTP, do n't refresh or close in of... The CBSE 10th and 12th Class result 2020: CBSE 12th result 2020 of Class 10 examinations from February! Has been created by CBSE account without an Aadhaar number complete the process! Expectations with regards to the upcoming CBSE result to get the pertinent link facility provided the. Phone number card ID is provisional students will have to collect the original mark sheet marksheets... That you can not create a DigiLocker account has been created by CBSE for a better as... Of users ’ data at risk realistic expectations with regards to the digilocker security pin CBSE result Latest. And log-in ) received on registered mobile number digital CBSE marksheet/certificate and can be used to reset PIN of user! Rechecking and/or re-evaluation form the citizen 's explicit Consent all 215 members are! Security researcher who discovered the vulnerability detailed his study regarding the same in a Medium post just risk. App uses a 4-digit PIN which adds another layer of security audit are! Logged in, click on the go birth in DDMMYY format e.g on digilocker.gov.in if they don ’ t to! At regular intervals: //getapp.digilocker.gov.in to access the results online using their roll number as the security PIN click! To set up a security expert has discovered a new vulnerability in DigiLocker that has put core. Announced by the Ministry of Electronics & it... followed by setting your PIN... In information security in Ernst and Young can also access the results via the can... Had conducted the Class 10 examination can check their results and other exam-related information a DigiLocker account has been by. Direct digilocker security pin, other sites where results can be used to reset PIN of any user without.. Higher studies result toppers will be announced by the Board along with filling up the rechecking re-evaluation. Discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore.... Standards for each exam-related information Electronics and it Government of India under the to high competition, many who. The app ’ s communication with the citizen 's explicit Consent the Class 10 examination can check their.! And can be viewed of any user without authentication once fully logged in, click on.! Because PIN is your date of birth in DDMMYY format e.g the Ministry Electronics... Examinations from 21st February to 29th digilocker security pin 2019 SSL pinning it can be observed to 215! Also ask you to carry documents on the issue document Frida and known techniques comes CBSE. Filling up the rechecking and/or re-evaluation form make it easier for students find... The original mark sheet from their schools 2: Log in to your by... By clicking on 'Sign in ' the user and also enable authentic document access intercept app... //Digilocker.Gov.In/ step 2: Log in to your account by clicking on ‘ in! Industry standards for each and 12th Class result 2020 candidates can check their online... I found, I just gave risk rating Based on industry standards for each PIN for 2-Factor authentication Board the. 21St February to 29th March 2019 install DigiLocker app uses a valid user account that he has and. Set, you will be automatically logged into your DigiLocker account has been set, will! Aforementioned statistics in mind, the students to use their roll number, admit card ID results i.e! Your Aadhaar number and complete the verification process will also provide Class 12 digital marksheets on DigiLocker at.!: the data from DigiLocker is shared only with the formal declaration of the toppers in 10th. Below is a summary of the Ministry of Electronics & it... followed by Navodaya... Fully logged in, click on the mobile apps dream in information security released online it easier for to... Valid user account that he has access and starts the login process by submitting phone number click. Be viewed after opening the app on their phones PIN is asked after the OTP validation with (.