Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

A researcher has shown alarming vulnerabilities that allowed access to the personal identifiable information (PII) of approximately 185 million Indian citizens, enabling the creation of counterfeit driving licenses.

An important revelation came from student and cybersecurity researcher Robin Justin, who disclosed these findings in a blog post on February 20. The vulnerabilities affect Sarathi Parivahan, the official site for India’s Ministry of Road Transport and Highways.

This portal is designed for citizens to apply for learner’s permits or driving licenses. While attempting to secure a license, Justin quickly identified endpoints that exhibited broken access controls and lacked proper authorization checks.

Vulnerability Exposed

Authentication only required an application number and the applicant’s date of birth. However, a flawed endpoint for checking the application status allowed attackers to input any random application number to retrieve sensitive details like the applicant’s date of birth, name, address, and driving license number, along with their photo.

Rather than brute-forcing random application numbers, Justin delved deeper into the portal and discovered a second vulnerable endpoint, which required only a phone number and the victim’s date of birth to uncover the application number.

RELATED READS Password manager security: Which is the right option for me?

Shortly after, Justin found a publicly accessible feature intended solely for administrators. This feature enabled him to access documents uploaded by applicants, described by Justin as a “critically vulnerable endpoint hiding in plain sight.”

He continued: “To create maximum impact, we should link this vulnerable endpoint with the one that provides an application number via just a phone number and date of birth. This allows us to access sensitive personal documents of any Indian citizen whose phone number and date of birth we know.”

Further Complications

The investigation did not stop there. Upon reporting these vulnerabilities to India’s Computer Emergency Response Team (CERT-IN) and receiving no immediate response, Justin uncovered a poorly secured one-time password (OTP) system for a SYSADMIN account.

He successfully logged into the portal using this administrator account, which afforded him powers to search for applicants and view documents. He even had the authority to process applications without the need for in-person verifications, approve changes to license information, and access the PII of government employees at regional transport offices.

“In summary, I gained direct access to critical documents, including Aadhaar Cards and passports of all 185 million+ Indians holding a driver’s license,” Justin commented. “Additionally, I could generate as many valid government-approved driver’s licenses as I needed.”

Learn more about the latest in government cybersecurity news

At this point, Justin reported the new vulnerabilities to CERT-IN. He submitted his first report on November 7, 2022, and a follow-up on December 5. Both reports were marked as resolved, with fixes confirmed by January 25, 2023.

Speaking with The Daily Swig, Justin stated that his research was relatively straightforward and he faced no legal consequences as a result of his discoveries.

He further noted that CERT-IN provided no credit beyond an automated “Thank you for reporting this incident to CERT-IN” response to his initial report. Feedback was limited to confirmation on how the reported vulnerability was addressed.

The Daily Swig has reached out to CERT-IN and Sarathi Parivahan for comments but has yet to receive any responses. Updates will be provided as more information becomes available.

DON’T MISS OUT ON Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds end-to-end encryption