Like we pointed out earlier about FBR’s website that was exposing sensitive user data of taxpayers (they later rectified the flaw after we pointed out), this time it’s Punjab Public Service Commission – and situation has only worsen.
Punjab Public Service Commission or PPSC has just opened the doors for everyone to find every nitty-gritty details of hundreds of thousands of candidates applying for recently advertised lectureship jobs.
Anyone can freely access following details of all the candidates that applied for lectureship jobs:
- Candidate’s picture
- Full Name
- Father’s Name
- Complete Address
- Mobile/Landline Number
- Email Address
- Age
- Academic Record
- Earlier Jobs, Experiences,
- and much more
Just to tell you a little background, PPSC recently announced more that 2000 male and female jobs of lectureship in Punjab Education Department. This time they set it compulsory for the candidates to apply online.
Although this was to facilitate the candidates but whole data of candidates was published online and anyone can access it without any password or authentication.
By the way there are hundreds of thousands of candidates who applied (imagine there were 2000 job posts) and all their private data is exposed to everyone. Situation is alarming particularly in case of females, who are estimated to share 50 percent total count.
We aren’t publishing the loophole that can reveal the user data (keeping in view that this may expose hundreds of thousands of individuals), but Punjab Public Service Commission must act immediately to undo it’s heinous blunder.
Adopting latest technologies is good but these government institutes should secure the private details by passwords or by any other means of authorization.
Just have a look at following screenshot that we took, and no password or username whatsoever was required to access this female candidate’s data, even worse, list of all the candidates that applied is available online, probably the worst privacy nightmare for any organization.
Thanks to Usman for tipping
Good sharing, Don’t you think that by posting this news, It will be easy for “Special Agents” to get the sensitive info from ppsc site? And to annoy those female candidates, do you really think that this post can make any difference to ppsc? and they will change out their policy to share info?
Yes PPSC has removed the sensitive data now….
ok
Dear Mr. Amir Atta, main apki posts ka regular reader hun, lakin bohat period se maine ye note kia hai ke apki posts main autenthic baten khatam ho gai hain, pata nahi apko ghalat info kon deta hai, ya aap khud ghalat info logon ko dete ho, main 2.5 years se propakistani read kar raha hun, lakin ab aisi news publish hoti hain ke parh kar hansi aye.
ab aap isi news ko le lain, PPSC itna pagal nahi nahi hai ke open access de de, aap aik kam karen, http://www.ppsc.gop.pk per jen aur kisi candidate ke detail dekh kar batayen aur phir aa kar mere msg ka reply karen, aur agar apko access na mile to kindly is post ko remove karen.
regards
Hassan Azam
You just hatched out of your egg. Thats why you dont know what the post is all about. Thick heads like you are at PPSC staff. Thats why they dont know what the f is privacy.
Do me a favor. Stop visiting PP. If its so bad, why do you keep coming? :D
Hassan sb feedback ka shukriya, app say arz hay kay upper diya giya screenshot PPSC ki website say hi liya giya hay, jiss main zahir hay kay sari ki sari info aur tasweer bhi reveal ho rahi hay.
Upper post main kaha giya hay kay hum nay loophole ya aisiay links ka zikar iss liye nahi kiya takay har koi humaray tareeqay ko use kartay howay logon ka data na daikh sakay.
Agar app ka taluq PPSC say hay aur agar app ko proofs chiyey tu https://propakistani.pk/contact-us/ par click kar kay mujh say raabta kar lain
hahaha, looks like kay in bhai sahab nay try kiya aur inhay koi information mili nahi, thora sa damagh chalao munay tu tumhay access mil jaiyga. maine check kiya hai aur information sari available hai, simply yeh bhai sahab shaid chah rahay hain k inhay poray procedure bata dia jai kay kis tarhan information nikali jai canidate ki :p …
Amir Bhai, i m not from PPSC Staff, i m a candidate of lecturership, aap aik kam kiun nahi karte, main apko apna apllication nmbr deta hun, ap oper wali snapshot ki jaga meri details laga dain, phir apki baat main kuch dam ayega, kia khiyal hai?????
Application nmbr 16504598.
Waiting for your kind response…………………………………………..
Bro we aren’t investigating anyone’s data, we are neither interested nor we had any such purpose of doing this post. As mentioned in so many other comments – the data is indeed available to anyone. You can go and find yourself.
kia baat hai apki…. pehli baat to ye hai k aap 2 months pehli ki problem aaj bata rahe hain, 2ndly logon ko iss dhande per laga rahe hain ke jao aur logon ki detail check karo jo ke check nahi ho sakti, anyhow, best of luck.
Sarkar ap apna subject bata dain main apko bata daita hun apki information :p email address bhe drop kar daina haha
lolzz. “logon ko iss dhande per laga rahe hain ke jao aur logon ki detail check karo”
bhi app ki bat mai dam lagta hy. :)
hahahahha… out standing Feld barhaal kisi ki detail ko chouro or appni detail ka khyaal rhkoo yaroo =(( Mr Amir app he isko hata do yar
I JUST CHECKED,,, PROPAKISTANI ARE 100% RIGHT..
YOU NEED TO USE YOUR MIND AN YOU WILL FIND ALL DETAILS.
Thanks to Usman…but what was usman doing on fbr website…did he hacking ?
I think the problem has been solved.
I tried to get into the hole just to check my skills. But the issue is resolved because the last dates of applications has been passed.
I have rechecked, just a minute ago (10:40 AM) and loophole still exists…
I just checked it now and found loophole in admission letters as well.
HASSAN AZAM
Plz correct urself .GO to PPS website
then go to _________ on the left side of page….then ENter your post and enter wrong NIC no .You will get the Candidate list and use it to access the data.
[Comment Edited]
really….. then y u dont send me my detail, application nmbr is 16504598., mera email wahan mention hoga, mail kar do mjhe, naam to pata he haina.
jo method aap bata rahe ho uss se koi detail nahi pata chalti, kiun logon main ghalat baten spread kar rahe ho, PPSC ka staff itna bewaquf nahi betha, choro sab bat, mjhe meri detail to send karo, i m candidate of commerce lecturer.
wow its so easy, but a real foolish act on ppsc’s part.
Author, you’ve so boldly placed the snapshot, would you mind blurring her number right below her photo?
Thanks for pointing out, landline number blurred too
Actually no it’s not. The original image is still there and it shows up in rss feeds.
https://propakistani.pk/wp-content/uploads/2011/09/Public_Service_Commision.jpg
Deleted from server….
Horrible. Need a serious action from the Officials.
Its sad state of affairs but it actually is way too easy to access this data. Hope they fix it because it took hardly 2mins to figure out even without PP given any hint on how to do it. Privacy does not mean anything to these morons and they do not care if data is stolen or used for unintended purposes.
This is really an alarming situation. I, with my moderate computer skills am able to get the data of round 1500 candidates in 10 minutes. So any expert can fetch all details very very easily. And the persons who are say that this is not a serious issue, should think again !!!
PPSC should wakeup now !!
Yah! There is a big loophole, I can access it. Why you post it here, you could let them know secretly by contacting them. Once they correct it, you could mention your effort here by copying your email conversation with them and with proof prints like shared in this post to recognize your effort in this. It will now be accessed by many and that’s a shame on you.
Agreed. Responsible disclosure requires you to notify them and wait for a while (a few days, or a week) before posting publicly.
They need a few impressions and some cents.
We didn’t reveal any trick to access the data, and hence didn’t offer any exposure to data.
However, we indeed mentioned a loophole, which was there and people with proper knowledge could access the data of any candidate.
About notifying PPSC, yes we had left an email which isn’t replied as of yet.
Maybe you didn’t post the loophole details directly, but you certainly let other commenters post almost everything someone needs to use the loophole.
Really, this is not responsible disclosure AT ALL.
http://www.sans.org/reading_room/whitepapers/threats/define-responsible-disclosure_932
Logon ko pata ho ya na ho propakistani nay batadia,,,good :)
lakin jo bhi bataya ghalat bataya, itna purana issue aaj yaad aya hai, jab isko resolve hue 2 months ho gaye hain…………
Not Resolved Yet my friend :)
hahah :) nyc shoot
I appreciate ProPakistani’s steps for reveiling this flaw. You should keep doing it so that a proper action is being taken. About the privacy thing, yeah it can be a problem. I think it is better to first contact the authorities of the issue and let them fix it. And you should post it after they’ve fixed it.
Instead of going all heroic and superman, you should have personally visited the government department, if you were honestly concerned, yet, you noticed it and felt the need for the change, I appreciate it.
Did you try to visit them after reading this post?
yes that is totally right and as of now PPSC is still sleeping and not doing anything to protect such a sensitive info.
nothing less than a stupid person is the IT expert of PPSC.
its good MR AMir if u call them or mail them that please remove them rather than showing innocent candidate details to all pakistan.shame on you it might be some one from our families then what??
as he mentioned earlier, he dropped e.mail to their inbox but no reply yet. between one suggestion for you, GROW UP! :)
this is why we r far behind for thinking always -ive points in every field & issue.
again, please GROW UP :)
Dear GS,
Pls read the first para of the article. you will get answer to yoyr question.
“Like we pointed out earlier about FBR’s website that was exposing sensitive user data of taxpayers (they later rectified the flaw after we pointed out), this time it’s Punjab Public Service Commission – and situation has only worsen”
Dear, in now days it is very difficult to save us on the internet specially in Pakistan. It is very big issue for all of us that such information is leaked by a Government Department. So it may be possible that in next days out data of NADRA will be leaked to any one. So we must think about that situation,.
No , I had checked all the links and sub links belong to this domain, Not any data found.
lol I found it.. just a cnic needed.. even that cninc list is available :D
Duhh its true thousands of candidate’s data is vulnerable
Don’t worry m gonna post the loophole soon!
Laughing…..
It just required 15 mins to reveal a bulk of data…….& THE MYSTERY.
lol….this is bullshit by PPSC….each and everything is available…
without application no it is not possible for anyone to get all the information as in above picture but only some information can be retrieved.
so you think you are more intelligent then all people above. ?
Man it is 100% true.
i may be not more intelligent. i just say what i get.
This issue is resolved now
issue isnt solved yet……7:15pm
issue is resolved now.
without application no you cant do anything.
close the topic..
the saga still continues…..
The issue has been resolved now… They have removed any critical info except CNIC# & photograph of candidate …. Thanks to ProPakistani.com
ahan, looks good – if so
engineer
Dear Aamir,
thanks for sharing this with us. just download the .xls file of results and then one can see the students data. especially females.
We are in IT Era….. How Shamefull for those who are IT admin or IT pros there in PPSC
this is not the complete story any one can get this information in two cases if he/she has CNIC number of a candidate or his/her cell number.
Thanks to Propakistani. It seems PPSC has realized and they have removed the link for viewing candidate info.
noted some :p
this hole still remains :)
http://ppsc.punjab.gov.pk/UsersReg/UserPic/3740586083380.jpg
information about 03132537354