Vulnerabilities Found in Yet Another Government WebsiteResearcher Says Uttar Pradesh State Road Transport Site Potentially Exposed Data
As India pursues greater levels of digitization, many government websites continue to be vulnerable to hacking and cyberattacks due to having basic vulnerabilities. In the latest development, a security researcher says the website of the Uttar Pradesh State Road Transport Corporation had a vulnerability that could have been exploited by hackers. UPSRTC is a public sector passenger road transport corporation based in Uttar Pradesh that has the biggest fleet of buses in North India.
About 105 government websites were hacked during the first 11 months of 2018, CERT-In reported. Earlier this year, over 90 Indian government websites and critical systems were attacked by self-proclaimed Pakistani hackers within hours of the Pulwama suicide strike in which 40 soldiers of the India's Central Reserve Police Force were killed.
Hence even as the Indian government encourages more individuals and organizations to go digital, the government's own websites continue to be vulnerable to oftentimes easily preventable types of attacks.
The vulnerability in the north Indian transportation giant UPSRTC's site was discovered by Avinash Jain, lead infrastructure security engineer at online grocery delivery store Grofers, who also works as a part-time bug bounty hunter. Jain says he recently discovered the vulnerability in an application in the UPSRTC website that potentially left a large database exposed to hackers.
Jain says he reported the vulnerability to CERT-In, and it has been fixed.
It's not yet clear whether hackers stole any passenger details by taking advantage of the vulnerability, Jain says.
UPSRTC could not be immediately reached for comment. ISMG's calls to a telephone number listed as being a contact point for the organization went unanswered.
Data potentially exposed as a result of the vulnerability includes customers' full names, mobile numbers, addresses and dates of birth, Jain tells Information Security Media Group. "The website also exposed partial debit card and credit card numbers, their transaction details and booking details. ... A usernames list and passwords could also be accessed."
Jain and some other security practitioners and researchers claim the problem with vulnerabilities in government websites stems from a lack of regular testing of applications.
"Despite most government websites handling critical data, rarely do they conduct any security testings," Jain says. "The vulnerabilities are sometimes so basic that any sort of security checks will help detect these. ... The government itself has never taken any proactive measure in detecting these vulnerabilities. How long they can sustain the digital India movement is questionable."
What are the Gaps
Jain says the vulnerable bus booking application of UPSRTC was built over a weak and old framework. Also, there was a risk of SQL injection due to a URL parameter having been left unprotected. As a result, hackers potentially could have accessed a complete database, he says.
"There was no firewall used; there was no rate limiting" - used to control the amount of incoming and outgoing traffic to or from a network - "and there was no captcha," Jain says. "An attacker could easily run a script and take the complete database dump."
Most of the data being stored was not encrypted, Jain says. The data that was encrypted used default encryption that My SQL provides, he adds. "Such default encryptions are easy to crack for anyone with slight knowledge of hacking. It is like having a door without any locks."
The Vulnerable Government Sites
Last year, Jain discovered a vulnerability in the website of IRCTC, the Indian Railway Catering and Tourism Corp., which is a subsidiary of the Indian Railways that handles catering, tourism and online ticketing operations.
The department took two years to fix the security flaw, during which time hackers could have exploited it to access passengers' personal information.
Also last year, French security researcher Eliot Alderson discovered that the websites of BSNL, the state-run telecommunications company, were unprotected against certain types of SQL injection attacks.
Another French researcher, Robert Baptiste, last year also found that India Post, the government-operated postal system, was running a vulnerable version of Apache Struts. Baptiste said that when he found the flaw, he also discovered that an attacker had used the vulnerability to upload a malicious file to India Post's website in 2017, in an apparent takeover attempt.
In light of the security issues at so many websites, "government needs to take security seriously," says Atindranath Das, a researcher at managed security service provider Paladion Networks. "While on the one hand the prime minister asks us to be prepared to counter any cyberwarfare, on the other hand we can't get the basics right when it comes to securing our websites."
"Suggestions on security measures and what to follow have been pointed out multiple times, but it seems to fall on deaf ears," says Dinesh O Bareja, Open Security Alliance's chief operations officer. "What more can you say when the other party is not ready to listen?"