An AI coal mine security camera network powered by plaintext passwords
Security researcher finds that an AI-powered camera system for Indian coal mines exposes user credentials in plaintext and allows authentication bypass.
Inside an AI coal mine security camera network powered by plaintext passwords
Eaton • Jul 8, 2026
In my ongoing quest to find vulnerabilities in critical industries, I stumbled upon “Project DigiCoal” – an initiative to modernize coal mines in India.
There are many companies and partners involved with the project, but this post will only refer to 3 of them as the “DigiCoal Team”:
Coal India – they spearhead the project and it is for their coal mines.
Accenture – developer/partner
DeepSight AI Labs – developer/partner
There are a few web apps associated with it and one that stuck out was the “RPI Dashboard” developed by DeepSight AI Labs:
DeepSight AI Labs is a startup in India that “have developed an AI vision platform that is scalable to 1000’s of video streams & images to detect anomalies in line with business, compliance and security needs.” In other words, their system integrates into your existing CCTV setup and adds fancy AI vision capabilities to detect anomalies.
For a great overview on the system, take a look at their official case-study, adorned by this lovingly-crafted hero image:
Surely the Geth from Mass Effect would be able to spell better?
There’s also some involvement by Accenture. The user list was loaded with Accenture accounts.
Weak, Plaintext Passwords
Looking at the JavaScript code of the site, the “get_users” API stood out:
Going to that in your browser yields the entire user list, plaintext passwords included. No authentication necessary. Worse: passwords are duplicated! Many accounts share the same weak password. The screenshot below is color-coded to indicate which passwords are the same.
The passwords were so weak that even Chrome complained about them:
Even with the passwords, you didn’t actually need them to get into the system. Let’s get a little more creative!
Spoofing a login
The site controls access to routes via access roles stored in local storage.
All the access values I needed can be found in the users API:
Then I had to also set the “loggedin” boolean to true:
All plugged in to local storage:
Inside the system
After making all those changes, the site now loads:
This spoof worked because the APIs did not require authentication. This was already evident in the get_users API.
The Alert Dashboard is where you view all the camera feeds across 7 coal mines. There are a ton of alerts and you can view a still image or video of the event:
The system is configured to monitor for a variety of violations:
Vehicle detection
Intrusion
No PPE detected
And that is basically it! A fun little security breach, but nothing too overly serious.
Timeline
Special thanks to India’s Computer Emergency Response Team (CERT-IN) for working with me on this disclosure.
August 22, 2025: Reported to CERT-IN. They acknowledge the report same-day.
September 16, 2025: I ask for an update.
September 17, 2025: CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.
October 16, 2025: I ask for an update. CERT-IN responds saying they are in the process of taking appropriate action with the concerned authority.
November 17, 2025: Repeat of October 16.
November 18, 2025: CERT-IN confirms the vulnerability is fixed.