A critical vulnerability in the Kerala State Road Transport Corporation (KSRTC) website has exposed the personal data of over four lakh students.
The flaw was discovered by ethical hacker Edwin Shajan, who has previously identified multiple security lapses in government websites.
KSRTC collects sensitive information from students to provide travel concessions. According to Edwin, the website’s poor security architecture allows unauthorised access to student records, including personal details, email IDs, phone numbers, ration card photo proof, Aadhaar proof, and student IDs.
This isn’t the first time Edwin has flagged issues in the KSRTC system. During his recent investigation, he was able to access the website’s super admin page without any significant validation.
“By default, many of the super admin privileges—like database access or permission editing—were disabled. But I could manually enable them,” Edwin explained.
He also discovered a data migration feature that allowed the export of all student data registered on the portal. “The dataset includes both legitimate records and test entries—some appear genuine, while others are just random alphanumeric inputs,” he said.
Each student has a password-protected account on the site. However, Edwin found that hackers can modify these passwords. “Once the password is changed, anyone can log in and access the student's account and its associated permissions,” he noted.
Edwin added that he was also able to edit and manage school and college accounts, as well as access and modify information associated with higher-level roles such as 'Chief Traffic Officer'.
According to the admin dashboard Edwin accessed, KSRTC has received a total of 4,13,125 student applications—1,45,404 from college students and 2,67,721 from school students. Of these, 3,76,744 applications have been approved.
Edwin promptly reported the vulnerability to the Indian Computer Emergency Response Team (CERT-IN). However, the issue remains unresolved 48 hours after the alert was raised.
In the past, Edwin has helped fix vulnerabilities in several government platforms, including a recent flaw in Kerala’s K-SMART application, which was addressed following his report.