One Researcher, 14 Flaws, Millions of Indians at Risk

A young independent security researcher found gaping holes in Indian government portals — including an admin panel left wide open to the entire internet. The government fixed everything within three weeks.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Independent researcher Sushant Bhardwaj discovered 14 vulnerabilities across Indian government IT portals in April 2025, two rated critical severity.
  • A Delhi scholarship portal exposed the full bank account numbers of 4,399 people to anyone with an internet connection.
  • The Union Public Service Commission — which handled 1.3 million job applications in 2023 alone — left its administrative login panel completely unprotected.
  • Nearly 2 million Delhi school students had enrolment and exam records exposed due to missing access controls.
  • All 14 vulnerabilities were patched within two to three weeks of Bhardwaj's report, first covered by Dark Reading.

Sushant Bhardwaj is an independent cybersecurity researcher. He doesn't work for a government agency or a big security firm. He found 14 security holes in Indian government websites on his own, reported them responsibly, and watched them get fixed. That's how it's supposed to work. It rarely does.

The problems he uncovered were not exotic. Most came down to broken access controls — meaning the websites displayed a "you can't see this" message but never actually enforced it on the server. Anyone who knew to look could walk straight past the warning.

How did the hackers get in?

No hackers got in — this time. But the doors were wide open.

Bhardwaj found that two Delhi government directories, managed by the city's Directorate of Education, had no real barrier protecting them. Files inside followed predictable naming patterns, so by tweaking the web address he was visiting, he could pull up student enrolment records, parents' names, school details, and exam results for close to 2 million students.

A separate Delhi portal handling scholarships — disproportionately used by lower-income families — exposed something far more dangerous: names, guardian details, and complete bank account numbers for 4,399 people. All visible to anyone online.

The most serious findings were at the national level. The Union Public Service Commission, or UPSC, is the body that recruits India's civil servants. Think of it as the country's central hiring office for government roles. Bhardwaj found twelve vulnerabilities in UPSC's portal. The worst: the administrative interface — the control panel that governs who can log in and what they can do — was sitting completely open on the public internet, no password required. A criminal could have granted themselves full access in minutes and taken over the entire system.

He also found the portal was vulnerable to automated credential attacks, where software rapidly tries thousands of username-and-password combinations until one works. There were additional issues with one-time passwords — the single-use codes texted to verify your identity — and with sensitive data appearing in publicly accessible documents.

Would stronger multi-factor authentication — requiring a second proof of identity beyond a password — have helped? For the credential-stuffing risk, yes, significantly. For the open admin panel, the problem ran deeper: the door had no lock at all.

Trey Ford of Bugcrowd put it plainly: "The most common public sector failure isn't a clever exploit, it's a simple error like leaving a directory open."

Bhardwaj agrees. "Most of the issues I've encountered were not the result of highly sophisticated attacks but rather configuration weaknesses and inconsistent access controls."

If you applied to a UPSC position, studied in a Delhi government school, or received a Delhi government scholarship, there is no confirmed evidence that anyone malicious accessed your data before the fixes. That said, if you notice unfamiliar activity on a bank account linked to any government portal, report it to your bank immediately.

© 2026 Threat Vectr