Hacker News new | past | comments | ask | show | jobs | submit
triceratops | on: Exposing Critical Vulnerabilities in CBSE's On-Screen Marking Portal
Big oof.

A master password shipped in client-side JS.

A fake OTP authentication process - "the server sends the OTP back...and the [client code] compares what you typed against that value locally before letting you through"

And it gets worse after that.