Provident Fund Website Hack Reportedly Affects MillionsSecurity Practitioners React, Discuss Probable Causes
A vulnerability in a government-run website designed to assist employees in linking to their Provident Fund retirement accounts with their Aadhaar numbers was targeted by hackers. That's according to news reports that cite a letter from an executive with the Employees' Provident Fund Organization that was widely distributed via Twitter.
Some news reports suggest that about 20 million Indian citizens could have been impacted by the data leak.
The EPFO, however, denies that any data was leaked.
The affected website was leaking data for a few weeks in March before the leak was detected, the Huffington Post reports. Authorities are still trying to confirm the quantity of data obtained by hackers, according to the report.
The breach came to light late Wednesday when a letter from V.P. Joy, chief provident fund commissioner, surfaced on Twitter.
EPFO data stolen by hackers exploiting the vulnerabilities prevailing in the website (https://t.co/ohpaCFwomY) : VP Joy, Central Provident Fund Commissioner to MeitY.— Arvind Gunasekar (@arvindgunasekar) May 2, 2018
Aadhaar case in SC at the last stage, how will the Govt defend this now ? pic.twitter.com/yYQJ3qDiCh
The letter, dated March 23, 2018, states that hackers stole data by exploiting vulnerabilities prevailing in the website of EPFO. "The Intelligence Bureau (IB) has advised to adhere to best practices and guidelines for securing the confidential data, re-emphasising regular audit and vulnerability assessment and penetration testing of the entire system from competent auditors," the letter states.
But Joy told the Huffington Post: "I am not aware of any data leak. We received a warning from the IB on March 22, and so I forwarded it to the relevant authorities the next day. This is a routine administrative matter."
And in a press release, the EPFO refuted any news of a data leak. "EPFO has been taking all necessary precautions and measures to ensure that no data leakage takes place. Warnings regarding vulnerabilities in data or software are a routine administrative process based on which the services which were rendered through Common Service Centres have been discontinued from March 22, 2018. EPFO has been taking all necessary precautions and measures to ensure that no data leakage takes place."
An initiative of the Ministry of Electronics and IT, Common Services Centres provide web-enabled e-governance services in rural areas.
Although Joy's letter cited vulnerabilities in the organization's website, some security experts are debating whether the vulnerability was actually within the systems of the Unique Identification Authority of India, which administers Aadhaar.
A security consultant with a global electronic automation company, who asked not to be named, tells Information Security Media Group: "I agree that the impact is higher because Aadhaar numbers are also part of the leak, but to blame UIDAI for this would be wrong."
The vulnerabilities mentioned in the letter are the Apache Strut vulnerability and backdoor shells.
The Apache Struts vulnerability was also found in the 2017 Equifax data breach that exposed personal details of about 148 million people. "It's a 1-year-old vulnerability and hasn't been patched by the EPFO. Since this is a government website, it has to be audited by Cert-In certified auditors. Nobody seem to question them," the security consultant says.
Rohan Vibhandik, a Pune-based cybersecurity researcher working for a global company, offers a theory on the attackers' methods: "After exploiting the vulnerability in Struts, attackers possibly used a backdoor shell, which is malicious piece of code or a script that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site."
Who's to Blame?
Aadhaar data leaks have been in the news for a number of months. For instance, Aadhaar numbers of almost 67 lakh children leaked from an Andhra Pradesh government website earlier this year.
While some security experts argue that UIDAI should be more careful when it comes to giving permission to websites for using Aadhaar numbers, others say that UIDAI can't be blamed for an application fault in EPFO's website.
"EPFO should have carried out regular audits. It's clear that the audits were not carried out in a proper manner, else the known vulnerabilities would have been fixed long back," says Vicky Shah, cyber law and privacy expert.
"The EPFO website was at stake, as it was exploited by attackers to siphon the data. Attackers found the entry point through insecure EPFO web framework, where seeding of Aadhaar numbers with PF accounts is done," Vibhandik contends.
Shah points out that under Section 43A of Information Technology Act, 2000, an organization that possesses, deals with or handles any sensitive personal data or information is responsible to have reasonable security practice in place to protect that data. As a result, she argues, EPFO "should have conducted periodic reviews."
The incident raises the issue of the competency of auditors certified by CERT-In, says Dinesh Bareja, COO at Open Security Alliance. "There is no standard followed by CERT-In when it comes to certifying auditors," she claims.
The Apache Struts framework vulnerabilities are already reported and addressed at CVE-2017-5638/9805 in a repository for all reported vulnerabilities and possible remedies.
To mitigate the risks from the vulnerabilities, the repository recommends:
- Updating the obsolete software or web components to the latest released patched versions;
- Implementing secure development practices along with periodic vulnerability assessment and penetration testing.