# An AI coal mine security camera network powered by plaintext passwords

> Source: <https://eaton-works.com/2026/07/08/coal-india-camera-hack/>
> Published: 2026-07-08 17:20:31+00:00

# Inside an AI coal mine security camera network powered by plaintext passwords

In my ongoing quest to find vulnerabilities in critical industries, I stumbled upon “[Project DigiCoal](https://digicoal.cilhq.coalindia.in/)” – an initiative to modernize coal mines in India.

There are many companies and partners involved with the project, but this post will only refer to 3 of them as the “DigiCoal Team”:

[Coal India](https://www.coalindia.in/)– they spearhead the project and it is for their coal mines.[Accenture](https://www.accenture.com/)– developer/partner[DeepSight AI Labs](https://deepsightlabs.com/)– developer/partner

There are a few web apps associated with it and one that stuck out was the “RPI Dashboard” developed by DeepSight AI Labs:

DeepSight AI Labs is a startup in India that “[have developed an AI vision platform that is scalable to 1000’s of video streams & images to detect anomalies in line with business, compliance and security needs.](https://deepsightlabs.com/#:~:text=have%20developed%20an%20AI%20vision%20platform%20that%20is%20scalable%20to%201000%E2%80%99s%20of%20video%20streams%20%26%20images%20to%20detect%20anomalies%20in%20line%20with%20business%2C%20compliance%20and%20security%20needs.)” In other words, their system integrates into your existing CCTV setup and adds fancy AI vision capabilities to detect anomalies.

For a great overview on the system, take a look at their [official case-study](https://www.linkedin.com/pulse/mining-use-case-physical-digital-transformation-7-mines-nqvje/), adorned by this lovingly-crafted hero image:

[There’s also some involvement by Accenture](https://www.mining-technology.com/news/coal-india-launches-project-digicoal/). The user list was loaded with Accenture accounts.

**Weak, Plaintext Passwords**

Looking at the JavaScript code of the site, the “get_users” API stood out:

Going to that in your browser yields the entire user list, plaintext passwords included. No authentication necessary. **Worse:** passwords are duplicated! Many accounts share the same weak password. The screenshot below is color-coded to indicate which passwords are the same.

The passwords were so weak that even Chrome complained about them:

Even with the passwords, you didn’t actually need them to get into the system. Let’s get a little more creative!

**Spoofing a login**

The site controls access to routes via access roles stored in local storage.

All the access values I needed can be found in the users API:

Then I had to also set the “loggedin” boolean to true:

All plugged in to local storage:

**Inside the system**

After making all those changes, the site now loads:

This spoof worked because the APIs did not require authentication. This was already evident in the get_users API.

The Alert Dashboard is where you view all the camera feeds across 7 coal mines. There are a ton of alerts and you can view a still image or video of the event:

The system is configured to monitor for a variety of violations:

And that is basically it! A fun little security breach, but nothing too overly serious.

**Timeline**

Special thanks to [India’s Computer Emergency Response Team (CERT-IN)](https://www.cert-in.org.in/) for working with me on this disclosure.

**August 22, 2025:** Reported to CERT-IN. They acknowledge the report same-day.**September 16, 2025:** I ask for an update.**September 17, 2025:** CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.**October 16, 2025:** I ask for an update. CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.**November 17, 2025:** Repeat of October 16.**November 18, 2025:** CERT-IN confirms the vulnerability is fixed.
