Using cookies to hack into a tech college’s admission system
Key Points / Summary
- The Sri Krishna College of Engineering and Technology (SKCET) in India forgot to add authentication to admission APIs.
- Manual insertion of HTTP cookies unlocked access to the admission system and 4,110 student records.
- Highly sensitive student and parent information exposed:
- Name, phone #, email
- Address
- Aadhaar numbers/cards
- Medical information (blood group, fitness, physically challenged)
- Ethnic & religious details
- Grades
- Income levels
The Sri Krishna College of Engineering and Technology (SKCET) is a college in India that, as you might have guessed, has a focus on engineering, which includes computer science and security. Last year I stumbled upon their admissions admin panel and it didn’t take long to discover a vulnerability that gave me full access. It’s almost unbelievable such a simple vulnerability could exist in a tech college of all places, but nothing should come as a surprise in the web app security space anymore.
A cookie is all it took πͺ
SparK is SKCET’s admission system. Employees log in using their email address and then enter an OTP. Simple and secure (maybe).
I didn’t know any valid emails, so I looked into the JavaScript code to see how the login works and if there may be any vulnerabilities with it. One thing that stuck out was ADMISSION_OFFICER_LOGGED_IN and ADMISSION_OFFICER_EMPLOYEE_ID. These turned out to be cookies and the site would check them when it loads. If ADMISSION_OFFICER_LOGGED_IN was true, it would skip past the login and go to the dashboard. I decided to try putting in that cookie manually. I didn’t know an officer ID, so I just set it to 0.
Lo and behold, it worked!
Impersonating an officer
When I went to the Reports tab, it didn’t work:
Looking at the error details made it clear why:
The employee ID is supposed to be a GUID instead of an integer. In other words, it expected a value looking like this (00000000-0000-0000-0000-000000000000) instead of just 0. This complicated things because you can’t easily guess a GUID.
The breakthrough came when searching for students. Those IDs are sequential integers, so I kept guessing until a match popped up:
The search API response contained the GUID of the officer who admitted that student:
With that GUID in hand, I updated my cookie and was essentially fully “logged in” as a real admission officer. The Reports tab worked after this.
Student data galore
Based on the dashboard above, there were 4,110 student records in the system. Here is what a student record looks like:
Let’s dig in and find out what is exposed. Next is the student information tab, where we have things like Aadhaar number, blood group, ethnic & religious details, and some interesting background information, such as “physically challenged certificate”:
Next is academic history, which is where exam scores/marks are:
Next is family details. Suddenly this vulnerability got even worse. Not only is student data being leaked, their parents’ data is being leaked too! Their Aadhaar cards and income are here:
Then we have address details – pretty standard info:
Then admission details:
And finally documents. This is a list of private documents you would never want anyone else to see:
Colleges are supposed to set you up for success, but if this data had leaked, it certainly would have led to a rough start for many!
Note: You did not need to have a valid employee ID cookie to view student information, which is why the screenshots above do not show a valid logged in user. It was only needed in the Reports tab.
A disappointing vulnerability
The root vulnerability is simple: all the APIs were unauthenticated. No authentication token was used in any API request. Here is an example:
This vulnerability made me sad. If the college itself forgets about API authentication, is it also missing from the curriculum? To access thousands of student records loaded with highly sensitive information, you didn’t need an advanced hacking tool. You didn’t need to phish a teacher. You just needed Google Chrome. I hope they learn from this and do better.
If SKCET students read this, please DO NOT FORGET to add proper authentication to your web apps! The industry and your future employer will thank you. π
Timeline
Special thanks to Indiaβs Computer Emergency Response Team (CERT-IN) for working with me on this disclosure. They continue to be a valuable partner in helping resolve vulnerabilities I find in Indian companies and institutions.
There is some good news here: SKCET was relatively quick in taking down the vulnerable website within a week.
- August 19, 2025: Reported to CERT-IN.
- August 22, 2025: I started observing changes to the web app (Admission tab was removed).
- August 26, 2025: Website taken offline.
- September 16, 2025: Website put back online, with the issue fixed.
- September 17, 2025 through February 25, 2026: Follow-ups with CERT-IN occurred during this period to confirm with SKCET that the vulnerability was indeed resolved. Confirmation was received Feb 25.
- March 9, 2026: Published