{"slug": "an-ai-coal-mine-security-camera-network-powered-by-plaintext-passwords", "title": "An AI coal mine security camera network powered by plaintext passwords", "summary": "A security researcher discovered that the AI-powered security camera network for India's Project DigiCoal coal mines, developed by DeepSight AI Labs and Accenture, exposed a user list with plaintext passwords via an unauthenticated API. The vulnerability allowed unauthorized access to live camera feeds and alerts across seven mines, and was fixed after disclosure to CERT-IN in November 2025.", "body_md": "# Inside an AI coal mine security camera network powered by plaintext passwords\n\nIn my ongoing quest to find vulnerabilities in critical industries, I stumbled upon “[Project DigiCoal](https://digicoal.cilhq.coalindia.in/)” – an initiative to modernize coal mines in India.\n\nThere are many companies and partners involved with the project, but this post will only refer to 3 of them as the “DigiCoal Team”:\n\n[Coal India](https://www.coalindia.in/)– they spearhead the project and it is for their coal mines.[Accenture](https://www.accenture.com/)– developer/partner[DeepSight AI Labs](https://deepsightlabs.com/)– developer/partner\n\nThere are a few web apps associated with it and one that stuck out was the “RPI Dashboard” developed by DeepSight AI Labs:\n\nDeepSight AI Labs is a startup in India that “[have developed an AI vision platform that is scalable to 1000’s of video streams & images to detect anomalies in line with business, compliance and security needs.](https://deepsightlabs.com/#:~:text=have%20developed%20an%20AI%20vision%20platform%20that%20is%20scalable%20to%201000%E2%80%99s%20of%20video%20streams%20%26%20images%20to%20detect%20anomalies%20in%20line%20with%20business%2C%20compliance%20and%20security%20needs.)” In other words, their system integrates into your existing CCTV setup and adds fancy AI vision capabilities to detect anomalies.\n\nFor a great overview on the system, take a look at their [official case-study](https://www.linkedin.com/pulse/mining-use-case-physical-digital-transformation-7-mines-nqvje/), adorned by this lovingly-crafted hero image:\n\n[There’s also some involvement by Accenture](https://www.mining-technology.com/news/coal-india-launches-project-digicoal/). The user list was loaded with Accenture accounts.\n\n**Weak, Plaintext Passwords**\n\nLooking at the JavaScript code of the site, the “get_users” API stood out:\n\nGoing to that in your browser yields the entire user list, plaintext passwords included. No authentication necessary. **Worse:** passwords are duplicated! Many accounts share the same weak password. The screenshot below is color-coded to indicate which passwords are the same.\n\nThe passwords were so weak that even Chrome complained about them:\n\nEven with the passwords, you didn’t actually need them to get into the system. Let’s get a little more creative!\n\n**Spoofing a login**\n\nThe site controls access to routes via access roles stored in local storage.\n\nAll the access values I needed can be found in the users API:\n\nThen I had to also set the “loggedin” boolean to true:\n\nAll plugged in to local storage:\n\n**Inside the system**\n\nAfter making all those changes, the site now loads:\n\nThis spoof worked because the APIs did not require authentication. This was already evident in the get_users API.\n\nThe Alert Dashboard is where you view all the camera feeds across 7 coal mines. There are a ton of alerts and you can view a still image or video of the event:\n\nThe system is configured to monitor for a variety of violations:\n\nAnd that is basically it! A fun little security breach, but nothing too overly serious.\n\n**Timeline**\n\nSpecial thanks to [India’s Computer Emergency Response Team (CERT-IN)](https://www.cert-in.org.in/) for working with me on this disclosure.\n\n**August 22, 2025:** Reported to CERT-IN. They acknowledge the report same-day.**September 16, 2025:** I ask for an update.**September 17, 2025:** CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.**October 16, 2025:** I ask for an update. CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.**November 17, 2025:** Repeat of October 16.**November 18, 2025:** CERT-IN confirms the vulnerability is fixed.", "url": "https://wpnews.pro/news/an-ai-coal-mine-security-camera-network-powered-by-plaintext-passwords", "canonical_source": "https://eaton-works.com/2026/07/08/coal-india-camera-hack/", "published_at": "2026-07-08 17:20:31+00:00", "updated_at": "2026-07-08 17:42:10.362182+00:00", "lang": "en", "topics": ["ai-safety", "ai-ethics", "computer-vision"], "entities": ["Coal India", "Accenture", "DeepSight AI Labs", "CERT-IN", "Project DigiCoal"], "alternates": {"html": "https://wpnews.pro/news/an-ai-coal-mine-security-camera-network-powered-by-plaintext-passwords", "markdown": "https://wpnews.pro/news/an-ai-coal-mine-security-camera-network-powered-by-plaintext-passwords.md", "text": "https://wpnews.pro/news/an-ai-coal-mine-security-camera-network-powered-by-plaintext-passwords.txt", "jsonld": "https://wpnews.pro/news/an-ai-coal-mine-security-camera-network-powered-by-plaintext-passwords.jsonld"}}