An AI coal mine security camera network powered by plaintext passwords A security researcher discovered that the AI-powered security camera network for India's Project DigiCoal coal mines, developed by DeepSight AI Labs and Accenture, exposed a user list with plaintext passwords via an unauthenticated API. The vulnerability allowed unauthorized access to live camera feeds and alerts across seven mines, and was fixed after disclosure to CERT-IN in November 2025. Inside an AI coal mine security camera network powered by plaintext passwords In my ongoing quest to find vulnerabilities in critical industries, I stumbled upon “ Project DigiCoal https://digicoal.cilhq.coalindia.in/ ” – an initiative to modernize coal mines in India. There are many companies and partners involved with the project, but this post will only refer to 3 of them as the “DigiCoal Team”: Coal India https://www.coalindia.in/ – they spearhead the project and it is for their coal mines. Accenture https://www.accenture.com/ – developer/partner DeepSight AI Labs https://deepsightlabs.com/ – developer/partner There are a few web apps associated with it and one that stuck out was the “RPI Dashboard” developed by DeepSight AI Labs: DeepSight AI Labs is a startup in India that “ have developed an AI vision platform that is scalable to 1000’s of video streams & images to detect anomalies in line with business, compliance and security needs. https://deepsightlabs.com/ :~:text=have%20developed%20an%20AI%20vision%20platform%20that%20is%20scalable%20to%201000%E2%80%99s%20of%20video%20streams%20%26%20images%20to%20detect%20anomalies%20in%20line%20with%20business%2C%20compliance%20and%20security%20needs. ” In other words, their system integrates into your existing CCTV setup and adds fancy AI vision capabilities to detect anomalies. For a great overview on the system, take a look at their official case-study https://www.linkedin.com/pulse/mining-use-case-physical-digital-transformation-7-mines-nqvje/ , adorned by this lovingly-crafted hero image: There’s also some involvement by Accenture https://www.mining-technology.com/news/coal-india-launches-project-digicoal/ . The user list was loaded with Accenture accounts. Weak, Plaintext Passwords Looking at the JavaScript code of the site, the “get users” API stood out: Going to that in your browser yields the entire user list, plaintext passwords included. No authentication necessary. Worse: passwords are duplicated Many accounts share the same weak password. The screenshot below is color-coded to indicate which passwords are the same. The passwords were so weak that even Chrome complained about them: Even with the passwords, you didn’t actually need them to get into the system. Let’s get a little more creative Spoofing a login The site controls access to routes via access roles stored in local storage. All the access values I needed can be found in the users API: Then I had to also set the “loggedin” boolean to true: All plugged in to local storage: Inside the system After making all those changes, the site now loads: This spoof worked because the APIs did not require authentication. This was already evident in the get users API. The Alert Dashboard is where you view all the camera feeds across 7 coal mines. There are a ton of alerts and you can view a still image or video of the event: The system is configured to monitor for a variety of violations: And that is basically it A fun little security breach, but nothing too overly serious. Timeline Special thanks to India’s Computer Emergency Response Team CERT-IN https://www.cert-in.org.in/ for working with me on this disclosure. August 22, 2025: Reported to CERT-IN. They acknowledge the report same-day. September 16, 2025: I ask for an update. September 17, 2025: CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority. October 16, 2025: I ask for an update. CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority. November 17, 2025: Repeat of October 16. November 18, 2025: CERT-IN confirms the vulnerability is fixed.