An independent security researcher has come across a critical vulnerability in the National Voters Service Portal (NVSP) and alerted the Computer Emergency Response Team (CERT) that worked with technical experts to plug the loophole.
Sai Krishna Kothapalli, founder/chief executive officer of Hackrew, a Hyderabad-based cybersecurity firm, says he stumbled upon the vulnerability while downloading his Elector Photo Identity Card (EPIC) that gave him access to the registered phone numbers of other voters. A simple script could make available the phone numbers of all the voters in a Lok Sabha or Assembly constituency.
An alumnus of the Indian Institute of Technology, Guwahati, Mr. Kothapalli sent the alert by way of vulnerability submission to the CERT on October 22, 2021. Though an acknowledgement was supposed to be given within 72 hours, he received a reply only on December 7, 2021 saying that the emergency response team was in touch with the authorities concerned to take appropriate action. On December 14, 2021 he confirmed that the vulnerability had been patched.
Data leak prevented
“The plugging of the loophole has not only prevented a major data leak — exposing the personal mobile phone numbers of several crores of voters across the country — but averted a possible scam during the process of elections. By accessing a mobile number, and using another vulnerability I found, we can send an SMS that will appear as if it came from credible Government IDs. For instance, we can send a message to a voter giving some misleading information that could deprive him/her of casting the vote. So one can imagine this on a larger scale, impacting crores of votes across India,” says Mr. Kothapalli.
Explaining how he came across the vulnerability, the security researcher said he had visited the NVPS portal to download his e-EPIC. After entering the EPIC number and State name, the system would send an OTP to the registered mobile number for further authentication.
“This is where the vulnerability got exposed. While the OTP went to the voter’s mobile number, the response sent to the browser had the voter’s un-redacted phone number. While this is not visible on the screen, any person with the basic technical know-how of how websites work can figure out how to get it,” he said.
Since electoral rolls containing EPIC numbers, names and other election-related and personal details of a voter are published and available online for anybody to access, all that’s needed is to write a simple script to get the personal phone numbers, names, father/husband’s name, EPIC numbers, and constituency names of all voters in a constituency.
“This is the most dangerous and highly effective way you can abuse the vulnerability. Since names are visible, huge sections of the country can be targeted based on religion, caste or language in election-related scams in this way,” he added.
