A critical vulnerability that exposed the personal details of VVIPs, including top industrialists, celebrities and sports personalities in the country, has been fixed by the Ministry of Corporate Affairs months after a cybersecurity expert flagged the issue.
Sai Krishna Kothapalli, founder and CEO of Hackrew Infosec, who came across the vulnerability by chance and flagged it to Computer Emergency Response Team, India (CERT-IN) on January 16, 2023, confirmed that the problem appeared to have been resolved after 10 months on December 20, 2023. However, suspecting theft or abuse of the sensitive data, he has called for an investigation.
Also read | Why ransomware attacks on Indian IT firms are a cause for concern?
It was during Pongal holidays in 2023 that Mr. Sai Krishna, while working on a security tool called “Eagle Eye”, stumbled upon personal details such as Aadhaar, PAN, voter identity, passport, date of birth, contact number, communication address etc of VVIPs. This vulnerability exposed the personal details of about more than 98 lakh directors of Indian companies.
‘Freely available online’
“This is a story on how personal data of prominent personalities such as Ratan Tata, Mukesh Ambani, Gautam Adani, Shah Rukh Khan, Virat Kohli and many other influential people was freely available online due to a vulnerability in a government portal. Keeping the severity of such a data leak in mind, I immediately reported the matter to CERT-IN and requested that it be fixed as soon as possible,” Mr. Sai Krishna told The Hindu on Tuesday.
An alumnus of IIT-Guwahati, Mr. Sai Krishna said he was preparing a proof of concept for “Eagle Eye”, which was capable of detecting secrets and sensitive information from websites, when he visited the website of the Ministry of Corporate Affairs.
“The next day, I noticed something interesting while going through the logs. I didn’t realise the ‘Eagle Eye’ tool I was prototyping was running in the background while browsing the MCA website. That night, it picked something up. There was some PII [Personal Identifiable Information] like email and phone numbers that were in the HTTP response but not there in the rendered HTML. This means that the browser received some data that’s not shown anywhere on the screen,” Mr. Sai Krishna said.
‘Sensitive data’
This was a generic type of vulnerability usually present in web/mobile applications. The server was sending more than necessary data. Sometimes, this could include sensitive data. “I was just as shocked. In front of my eyes, I had all the personal details of very important persons which were available for any individual or agency in India or abroad to access and even abuse. Such information is a jackpot for scammers. In a recent incident, scammers duped banks to the tune of ₹50 lakh just by using PAN numbers of some VIPs,” he said.
But what came as a rude shock to Mr. Sai Krishna was that despite passing on the alert to CERT-IN, the vulnerability remained for a few months. It took 11 months and 4 days for the critical issue that leaked personally identifiable information of approximately 98 lakh Indians, including many high net-worth individuals, to get resolved.
E-mail reply
Earlier, when the issue was first flagged to CERT-IN (on January 16, 2023) the security researcher received a reply via email which stated that the complaint was registered and appropriate action would be taken.
With no reply after that and the vulnerability persisting, Mr. Sai Krishna wrote to the the Director-General CERT-IN on July 31, 2023, to which he received a mail three days later that the vulnerability had been communicated to the authorities concerned for an early resolution.
On September 8, 2023, CERT-IN informed Mr. Sai Krishna that the issue had been resolved. But when he checked the vulnerability was persistent.
“There are a lot of companies openly selling the contact information [email and phone numbers] of directors online. I don’t know if this vulnerability has been exploited. I have requested for a thorough investigation,” he said.
COMMents
SHARE