The Indian Institute of Technology (IIT) Roorkee has admitted to security flaws in its cloud storage system linked to the JEE Advanced results portal after a teenager discovered vulnerabilities. The institute acknowledged the issue and stated that corrective measures are being implemented.
Teenager's Discovery
A 17-year-old cybersecurity researcher from Uttar Pradesh identified that the cloud storage used by IIT Roorkee for the JEE Advanced results portal had misconfigured access controls. This allowed anyone with the correct URL to view and download sensitive data, including candidate names, roll numbers, and scores.
The teenager reported the flaw to the institute's cybersecurity team on March 3, 2025. He demonstrated how the misconfiguration could expose personal information of thousands of candidates who appeared for the JEE Advanced exam.
IIT Roorkee's Response
IIT Roorkee confirmed the vulnerability in a statement, saying that the cloud storage was used to store provisional results for a limited period. The institute added that the flaw has been fixed and that an internal investigation is underway to prevent such incidents in the future.
"We take data security very seriously. The reported issue has been resolved, and we are reviewing our systems to ensure no similar vulnerabilities exist," an IIT Roorkee spokesperson said.
Implications for JEE Aspirants
The incident raises concerns about the security of sensitive data related to competitive exams. JEE Advanced is one of the most prestigious engineering entrance exams in India, with over 2.5 lakh candidates appearing annually.
Cybersecurity experts warn that such vulnerabilities could lead to data breaches, identity theft, and misuse of personal information. They emphasize the need for robust security protocols in educational portals handling sensitive data.
Broader Context
This is not the first time a security flaw has been discovered in a government or educational portal. In recent years, several similar incidents have been reported, highlighting the need for better cybersecurity practices across institutions.
IIT Roorkee's swift acknowledgment and action are seen as a positive step, but experts say continuous monitoring and regular security audits are essential to protect candidate data.
The teenager who discovered the flaw has been praised for his responsible disclosure. His actions have helped prevent potential misuse of data and have prompted a necessary review of security measures.
As the investigation continues, IIT Roorkee has assured all stakeholders that data security remains a top priority and that steps are being taken to strengthen their systems against future threats.
