The Council for the Indian School Certificate Examinations (CISCE) had announced that they will be publishing the ICSE (Indian Certificate of Secondary Education) 2014 examinations, for grade 10 students, results on the 21st of May at 15:00 IST. The CISCE announced, on the 20th of May, that the results will also be available through several other websites other than the official website of the CISCE. One of them was cisce.in.com. I visited this website to get my elder sister’s ISC (Indian School Certificate) examinations, for grade 12 students, result. The webpage looks like this:

After entering your 7-digit Unique ID, you get your results. The unique ID that I’ll be using for explanation in this blog post is 1234567.

I found a pattern in the URL for viewing the result for a particular UID. The URL looked like this:

http://resultns.cisce.myschool.in.com/results2014cisce/12th/1234/result-fcea920f7412b5da7be0cf42b8c93759-1234567.html

The path after ‘12th’ that is, ’1234’ is the first four digits of the unique ID. The text starting from ’fcea’ till ’759’ is the MD5 hash of ’1234567’, the UID, and ’1234567’ before ’.html’ is the UID again. Quite simple to crack, right? At least for us, programmers, who are used to these things it is not very difficult to decipher such patterns.

I replaced the ’12th’ in the URL with ’10th’, entered the first four digits of my UID in place of ’1234’, changed the MD5 hash and my 7-digit UID in place of ’1234567’ and wholla! I got my results much before the said date and time and I was probably the first student to retrieve my results.

Conclusion: Using technology and being able to control it are two different things.