Charlie Osborne28 February 2023 at 14:15 UTC
Updated: 28 February 2023 at 14:51 UTC
A cybersecurity researcher has highlighted a serious security issue that has exposed the personal identifiable information (PII) of approximately 185 million citizens in India. This vulnerability allows the potential creation of counterfeit driving licenses.
An investigative report by student and cybersecurity expert Robin Justin revealed how he was able to uncover these vulnerabilities on the Sarathi Parivahan website, which is operated by India’s Ministry of Road Transport and Highways. This portal enables citizens to apply for learner’s permits and driving licenses.
While attempting to apply for a driving license, Justin quickly discovered unsecured endpoints of the site due to inadequate access controls and authorization checks. He explained that to authenticate, an applicant only required a simple application number along with their date of birth. However, a flawed endpoint could allow anyone to use a random application number to retrieve sensitive information including the applicant’s date of birth, name, address, and even their driving license number.
Vulnerability in Plain View
Despite the cumbersome nature of brute-forcing application numbers, Justin continued his exploration of the system and found another vulnerable endpoint. This endpoint required only a phone number and the date of birth to retrieve the application number.
Justin further identified a security gap that permitted access to documents submitted by applicants, which had been inadvertently made public. He described this as a critical vulnerability that was “hiding in plain sight” and emphasized that by chaining together the discovered vulnerabilities, he could access sensitive documents of any individuals in India, provided he knew their phone number and date of birth.
Continued Security Concerns
The situation escalated when Justin reported these vulnerabilities to India’s Computer Emergency Response Team (CERT-IN) but received no initial response. He subsequently found a poorly protected one-time password (OTP) system that allowed him to log in with admin privileges, letting him search for applicants’ details, view documents, and even process applications without any in-person verification.
With this access, Justin noted, “I had direct access to critical documents like Aadhaar Cards and passports of all 185 million+ Indians who hold a driver’s license,” and he could generate countless valid government-approved driving licenses at will.
After reporting this additional security vulnerability to CERT-IN, Justin documented his findings starting from November 7, 2022, with follow-up reports sent later. Both reports were eventually marked as resolved, with fixes confirmed by January 25, 2023.
In an interview with The Daily Swig, Justin mentioned that despite the straightforward nature of his research, he faced no legal consequences for his actions. However, he was disappointed with CERT-IN’s response, which consisted solely of an automated acknowledgment without any further appreciation or feedback on his contributions.
As of now, The Daily Swig has reached out to CERT-IN and Sarathi Parivahan for further comments but has not received any responses yet. The article will be updated should new information arise.
For further insights, check out more on government-related cybersecurity issues.
Based on an article from ports wigger: https://portswigger.net/daily-swig/indian-transport-ministry-flaws-potentially-allowed-creation-of-counterfeit-driving-licenses
