Charlie Osborne28 February 2023 at 14:15 UTC
Updated: 28 February 2023 at 14:51 UTC
A researcher has uncovered significant vulnerabilities that allowed access to the personal information of approximately 185 million citizens in India, enabling the creation of counterfeit driving licenses.
An image relevant to this situation can be found below:
Recently, cybersecurity researcher Robin Justin revealed how he exploited vulnerabilities within the Sarathi Parivahan website, which is managed by India’s Ministry of Road Transport and Highways. The website facilitates applications for learner’s permits and driving licenses, and Justin, while applying for a driving license, discovered various endpoints that lacked adequate security measures.
Authentication merely required an application number and the applicant’s date of birth, but a flawed endpoint meant attackers could enter random application numbers to retrieve sensitive information such as the applicant’s name, date of birth, address, and driving license number, including their photo.
Instead of brute-forcing application numbers, Justin identified another vulnerable endpoint that required only a phone number and date of birth to access the application number, significantly simplifying unauthorized access.
‘Hiding in plain sight’
In his search, Justin discovered a feature meant for administrative use that was publicly accessible, allowing him to view uploaded documents associated with different applicants. This “critically vulnerable endpoint” could be easily exploited, enabling anyone with a phone number and date of birth to access sensitive documents belonging to others.
Justin noted that this chaining of vulnerabilities allowed for extensive data retrieval, potentially compromising the personal information of any Indian citizen who could be identified by their phone number and date of birth.
Ongoing Concerns
After he reported these vulnerabilities to India’s Computer Emergency Response Team (CERT-IN) without receiving a timely response, Justin uncovered another insecure one-time password (OTP) system intended for a SYSADMIN account.
Utilizing this access, he was able to directly log into the portal with administrative rights, granting him the ability to search for applicants, view documents, and even process application requests without necessary verification checks. This access could lead to the generation of valid driving licenses and retrieval of critical governmental documents like Aadhaar cards for millions of citizens.
Following this discovery, Justin again reported the vulnerability to CERT-IN on November 7, 2022, and subsequently on December 5, with both issues marked as resolved after fixes were confirmed on January 25, 2023.
Although his research was straightforward, Justin has faced no legal repercussions for his actions. He received minimal acknowledgment from CERT-IN, which was limited to an automated response thanking him for his report. Feedback was restricted to communications about the resolution of the report.
The Daily Swig has tried to reach CERT-IN and Sarathi Parivahan for further comments but has yet to receive any responses. Any updates will be shared when available.
Based on an article from portswinger.net: https://portswigger.net/daily-swig/indian-transport-ministry-flaws-potentially-allowed-creation-of-counterfeit-driving-licenses
