cd /news/ai-safety/an-ai-coal-mine-security-camera-netw… · home topics ai-safety article
[ARTICLE · art-51475] src=eaton-works.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

An AI coal mine security camera network powered by plaintext passwords

A security researcher discovered that the AI-powered security camera network for India's Project DigiCoal coal mines, developed by DeepSight AI Labs and Accenture, exposed a user list with plaintext passwords via an unauthenticated API. The vulnerability allowed unauthorized access to live camera feeds and alerts across seven mines, and was fixed after disclosure to CERT-IN in November 2025.

read3 min views5 publishedJul 8, 2026
An AI coal mine security camera network powered by plaintext passwords
Image: Eaton-Works (auto-discovered)

In my ongoing quest to find vulnerabilities in critical industries, I stumbled upon “Project DigiCoal” – an initiative to modernize coal mines in India.

There are many companies and partners involved with the project, but this post will only refer to 3 of them as the “DigiCoal Team”:

Coal India– they spearhead the project and it is for their coal mines.Accenture– developer/partnerDeepSight AI Labs– developer/partner

There are a few web apps associated with it and one that stuck out was the “RPI Dashboard” developed by DeepSight AI Labs:

DeepSight AI Labs is a startup in India that “have developed an AI vision platform that is scalable to 1000’s of video streams & images to detect anomalies in line with business, compliance and security needs.” In other words, their system integrates into your existing CCTV setup and adds fancy AI vision capabilities to detect anomalies.

For a great overview on the system, take a look at their [official case-study](https://www.linkedin.com/pulse/mining-use-case-physical-digital-transformation-7-mines-nqvje/), adorned by this lovingly-crafted hero image:

[There’s also some involvement by Accenture](https://www.mining-technology.com/news/coal-india-launches-project-digicoal/). The user list was loaded with Accenture accounts.

Weak, Plaintext Passwords

Looking at the JavaScript code of the site, the “get_users” API stood out:

Going to that in your browser yields the entire user list, plaintext passwords included. No authentication necessary. Worse: passwords are duplicated! Many accounts share the same weak password. The screenshot below is color-coded to indicate which passwords are the same.

The passwords were so weak that even Chrome complained about them:

Even with the passwords, you didn’t actually need them to get into the system. Let’s get a little more creative!

Spoofing a login

The site controls access to routes via access roles stored in local storage.

All the access values I needed can be found in the users API:

Then I had to also set the “loggedin” boolean to true:

All plugged in to local storage:

Inside the system

After making all those changes, the site now loads:

This spoof worked because the APIs did not require authentication. This was already evident in the get_users API.

The Alert Dashboard is where you view all the camera feeds across 7 coal mines. There are a ton of alerts and you can view a still image or video of the event:

The system is configured to monitor for a variety of violations:

And that is basically it! A fun little security breach, but nothing too overly serious.

Timeline

Special thanks to India’s Computer Emergency Response Team (CERT-IN) for working with me on this disclosure. August 22, 2025: Reported to CERT-IN. They acknowledge the report same-day.September 16, 2025: I ask for an update.September 17, 2025: CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.October 16, 2025: I ask for an update. CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.November 17, 2025: Repeat of October 16.November 18, 2025: CERT-IN confirms the vulnerability is fixed.

── more in #ai-safety 4 stories · sorted by recency
── more on @coal india 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/an-ai-coal-mine-secu…] indexed:0 read:3min 2026-07-08 ·