How I gained access to Tamil Nadu’s Property Approval Portal Dashboard just with a simple reconnaissance!👀
No exploits. No brute force. Pure recon skills and misconfigurations are waiting to be found.
Imagine what attackers could do if such vulnerabilities go unnoticed. Security isn’t just about firewalls it’s about mindset!
Introduction
Sometimes, security flaws don’t need advanced hacking techniques. Sometimes, all it takes is a single exposed file left unprotected.
In this case, I found a publicly accessible Excel file that contained something shocking — internal URLs, usernames, and passwords to the Tamil Nadu Property Approval Portal’s dashboard. No exploits, no brute force. Just basic recon and a bit of curiosity.
Let me break down how I found it, why this happens, and how organizations can avoid such disasters.
Understanding the Target
Tamil Nadu’s Property Approval Portal is an official platform used for property approvals and related processes. A government-backed portal like this holds sensitive user data, making it a potential target for attackers.
Before diving in, I made sure I wasn’t breaking any ethical boundaries. Security research must always follow ethical guidelines, and unauthorized access without permission is illegal.
Step 1: The Recon Phase
Instead of actively attacking the system, I started with passive reconnaissance collecting publicly available information without sending any direct attacks.
Here’s what I did:
1. Searched for open directories and exposed files using simple Google Dorking.
Dorking
filetype: xlsx OR filetype: xls OR filetype: csv “username” “password” site:target.com
2. Explored subdomains and hidden endpoints on the portal.
Checked for any publicly accessible storage links (Google Drive, AWS, etc.).
And that’s when I stumbled upon a publicly available Excel file.
Step 2: The Shocking Discovery
When I opened the file, I couldn’t believe what I saw — a complete list of URLs, internal dashboard links, usernames, and passwords!
The file was likely created for internal use, but someone forgot to restrict access, making it available for anyone on the internet to download.
With this information, I could have easily accessed the admin dashboard, modified records, or even gained deeper access to the system.
Step 3: The Potential Damage to TN!
If a malicious hacker had found this first, they could have:
Logged in as an admin and controlled the entire dashboard. Accessed sensitive property data and approval records. Extracted user details for phishing and identity theft. Planted backdoors for long-term access.
A single unguarded file could have led to a complete system compromise.
Step 4: Responsible Disclosure
Instead of misusing this information, I immediately reported the issue to the concerned authorities. They were quick to act and removed the exposed file before any harm was done.
Lessons for Security Teams
This incident proves that the weakest security flaws are often human mistakes. Organizations should:
Never store credentials in plaintext files (Excel, Notepad, etc.).
Secure sensitive files with access controls (password-protect files, restrict access, etc.).
Always use Automation for Recon! If you find Something, report it responsibly.
That’s it for now.
Cheers and peace out!
POC Image with Exposed Credentials
POC Image Where found the Login Page
POC Image Successful Login into Dashboard as Admin
Want to Know About me more: Read Here
Want to hack More Follow Below:
