BENGALURU: City-based ethical hacker Prashanth Bhola, 28, said he first noticed security lapses in the Karnataka Examinations Authority (KEA) website when he was editing his sister’s Common Entrance Test (CET) application in April 2019. “I edited the application and logged out to see there was some IP address instead of the usual URL in the address panel. I knew something was not right as no one would put an IP address directly in the open,” he explained. Bhola then randomly edited it to realise he could access the entire ‘Directory List’ of KEA, which meant he could get hold of any dashboard (which should only be available in the back end to website administrators) of all the exams held by KEA since 2016. He said it’s a standard hacking procedure, calling hacking a “game of guessing”. But the issue is that such important data was unprotected, Bhola added. That’s when he stumbled upon the admin panel of CET 2019. “I clicked on it hoping it had restricted access, but I could get through. The panel listed many things like total amount collected by KEA and district-wise candidates’ applications,” Bhola said. But what caught his attention was the ‘download application’ and search ‘username’ tabs, screenshots of which are available with TOI. Wanting to exercise caution, he searched for his sister’s name and a list of students appeared: they either had the same name or it had appeared somewhere on their applications. “The list had their contact information, parents’ names, secret question code, answers and registration number,” Bhola explained. When he got in touch with other parents, they also shared concerns over how callers — several CET takers had received calls/ messages for admission to other institutions — had details that were only in the students’ application forms. Consultant seeks Rs 20 lakh for Maha seat The parent of a student who had enrolled with KEA for admission to MBBS got a call from a consultant trying to convince him to pay nearly Rs 20 lakh for a seat in a Maharashtra medical college. In the call — a copy of the audio recording is with TOI — the parent repeatedly asks the consultant how he got to know that his son was looking for medical seats or obtained his contact details. The consultant brushes off the question, saying, “It’s not difficult to get this information these days.” The man tries hard to convince the parent to pay for the Maharashtra seat, adding that medical seats in Bengaluru are a lot more expensive. ‘Bid to contact KEA was in vain’Bhola said he tried to contact KEA officials several times but either got no response or they showed no interest in what he was explaining. “I kept trying to reach their official phone but no one responded. If anyone happened to answer, they were apathetic and disconnected the call,” Bhola said. He, however, didn’t visit the KEA office as he was unsure about the reaction he would receive. The KEA helpline was also of no help. Revamping of website to blame?Bhola said the lapses may have been a result of the website’s upgradation. “KEA revamped its entire website somewhere during March-April 2019. Earlier, it was accessible on http://kea.kar.nic.in/. The URL now redirects users to the newly revamped website, https://cetonline.karnataka.gov.in/kea/, which is now its official URL,” he said. Apart from security issues, Bhola said the new portal confused students unfamiliar with the virtual form-filling process.