In a recent blog post, cybersecurity researcher Robin Justin has exposed significant vulnerabilities in Sarathi Parivahan, the website for India's Ministry of Road Transport and Highways. This revelation sheds light on the potential compromise of personal identifiable information (PII) for approximately 185 million Indian citizens. Justin's investigation uncovered flaws that not only granted access to sensitive data but also enabled the creation of counterfeit driving licenses.
The Vulnerabilities
While attempting to apply for a driving license through the Sarathi Parivahan portal, Justin quickly discovered broken access controls and missing authorization checks on various endpoints. Authentication required only an application number and the applicant's date of birth. Exploiting a flawed endpoint allowed an attacker to input a random application number, revealing the associated PII, including name, address, driving license number, and even a photo of the individual.
A second vulnerable endpoint, requiring only a phone number and a victim's date of birth, further heightened the risk. This flaw facilitated access to the application number, paving the way for unauthorized retrieval of sensitive personal documents.
Compromising Admin Privileges
Despite reporting the initial vulnerabilities to India's Computer Emergency Response Team (CERT-IN) without receiving a response, Justin continued his investigation. He uncovered a poorly-secured one-time password (OTP) system for a SYSADMIN account, providing access to an administrator account. This granted the researcher extensive powers, including applicant searches, document viewing, the ability to process applications without in-person verification checks, approval of license information changes, and access to the PII of government staff working at regional transport offices.
In essence, Justin had direct access to critical documents such as Aadhaar Cards and passports for all 185 million+ Indians holding a driver's license. The severity of the situation escalated as the researcher noted the potential to generate as many valid government-approved driver's licenses as desired.
Upon discovering the additional vulnerability, Justin reported it to CERT-IN. Despite the initial lack of response, both vulnerability reports were marked as resolved, with fixes confirmed on January 25, 2023. Justin expressed that the research process was straightforward, and he encountered no legal repercussions for his work. However, feedback from CERT-IN was limited to acknowledging the fix without providing further credit or detailed feedback.
Conclusion
Robin Justin's investigation serves as a stark reminder of the critical importance of securing government portals, especially those handling sensitive personal information. The vulnerabilities discovered in the Sarathi Parivahan portal highlight the need for continuous vigilance and prompt action to address security loopholes, ensuring the safeguarding of citizens' personal data. The resolution of the reported vulnerabilities is a positive step, emphasizing the ongoing collaboration required between security researchers and government agencies to fortify online platforms against potential threats.
0 comments:
Post a Comment