Indian Ministry of Road Transport and Highways (MoRTH) was found to have a critical data leak by a student cybersecurity researcher, Robin Justin. This data leak potentially exposed the personally identifiable information (PII) of 185 million Indian citizens. Justin was able to identify vulnerabilities in Sarathi Parivahan, the website for MoRTH, while trying to apply for a driving license on February 20, 2023.
Vulnerabilities discovered
Vulnerabilities Discovered During his investigation, Justin discovered endpoints with broken access controls and missing authorization checks. The endpoint intended to check the application status was flawed, allowing attackers to supply a random application number to gain access to the applicant’s date of birth, name, address, driving license number, and even photo. Justin also found a second vulnerable endpoint that required only a phone number and a victim’s date of birth to access the application number.
A open access
Justin found another vulnerability, a public domain feature meant for administrators, which allowed him to access documents uploaded by the applicant. This feature was “critically vulnerable” as it could be accessed by anyone with knowledge of the phone number and date of birth of the Indian citizen.
India’s computer emergency team
OTP System Vulnerability After reporting the above vulnerabilities to India’s Computer Emergency Response Team (CERT-IN) and not receiving a response, Justin found a poorly secured one-time password (OTP) system for a SYSADMIN account. Justin was able to log into the portal with this administrator account, granting him powers, including applicant searches and document viewing.
In-person verification checks
Justin had the option to process applications without in-person verification checks, approve requests to change license information and access the PII of government staff working at regional transport offices. This gave him direct access to the Aadhaar cards and passports of all 185 million+ Indians that hold a driver’s license. The researcher also had the ability to generate valid government-approved driver’s licenses.
Reporting and Fixes After identifying the vulnerabilities, Justin reported them to CERT-IN. He sent the initial report on November 7, 2022, and the second on December 5. Both reports were marked as resolved, with fixes confirmed on January 25, 2023.
The research process
The research process was simple, according to Justin, and he did not face any adverse legal ramifications over his work. However, Justin reported that no credit was offered by CERT-IN beyond an automated “Thank you for reporting this incident to CERT-IN” reply to the report upon initial triage. Feedback received was “limited to them letting me know how the reported vulnerability was fixed.”
Recap
This incident highlights the importance of identifying vulnerabilities in websites and online portals. It also demonstrates how critical it is to take prompt action to fix identified issues to prevent data breaches. It is essential for organizations to prioritize cybersecurity and data privacy to prevent data leaks that could compromise the sensitive information of their customers or citizens.
It is hoped that this incident will serve as a reminder to the Indian government and its various departments to take cybersecurity seriously and invest in robust systems to prevent data breaches in the future. It is also essential to ensure that researchers who identify vulnerabilities are duly recognized and rewarded for their work to encourage more individuals to report issues that could compromise data privacy and cybersecurity.
