Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

A researcher has disclosed how he was able to access the personal identifiable information (PII) of potentially 185 million Indian citizens – and create counterfeit driving licenses to boot.

On February 20, student and cybersecurity researcher Robin Justin published a blog post containing the details of vulnerabilities impacting Sarathi Parivahan, the website for India’s Ministry of Road Transport and Highways.

The portal allows citizens to apply for a learner’s permit or driving license. Justin was attempting to apply for the latter when, within minutes, he stumbled upon endpoints with broken access controls and missing authorization checks.

‘Hiding in plain sight’

To authenticate, you only needed an application number and the applicant’s date of birth. However, an endpoint intended to check the application state was flawed, so an attacker could supply a random application number to learn the associated applicant’s date of birth, name, address, and driving license number – as well as pull up a photo of the individual.

Since brute-forcing random application numbers would be time-consuming, Justin explored the portal further and found a second vulnerable endpoint, which only required a phone number and a victim’s date of birth to access the application number.

A few minutes later, the researcher found a public domain feature that was meant to be restricted to administrators. The feature allowed Justin to access documents uploaded by an applicant – described by the researcher as a “critically vulnerable endpoint hiding quite literally in plain sight for all to use”.

He continued: “To attain maximum impact here, we ought to chain this vulnerable endpoint with the one we found earlier, which gave us the application number of an Indian user with just their phone number and date of birth. This ultimately gives us the ability to access sensitive personal documents of any Indian we know the phone number and date of birth of.”

OTProblem

This wasn’t the end of the story. After reporting the above vulnerabilities to India’s Computer Emergency Response Team (CERT-IN) and receiving no response, Justin found a poorly-secured one-time password (OTP) system for a SYSADMIN account.

He managed to log into the portal with this administrator account, granting him powers including applicant searches and document viewing. The researcher also had the option to process applications without in-person verification checks, approve requests to change license information, and access the PII of government staff working at regional transport offices.

“In a nutshell, I had direct access to critical documents like Aadhaar Cards and [the] passports of all 185 million+ Indians that hold a driver’s license,” the researcher noted. “I could’ve also generated as many valid government-approved driver’s licenses as I wanted.”

At this stage, Justin reported the additional vulnerability to CERT-IN. The researcher sent the initial report on November 7, 2022 and the second on December 5. Both reports have been marked as resolved, with fixes confirmed on January 25, 2023.

Speaking to The Daily Swig, Justin said that the research process was simple and that he hasn’t faced any adverse legal ramifications over his work.

He also said that no credit was offered by CERT-IN beyond an automated “Thank you for reporting this incident to CERT-IN” reply to the report upon initial triage. Feedback received was “limited to them letting me know how the reported vulnerability was fixed”.

The Daily Swig has reached out to CERT-IN and Sarathi Parivahan with additional queries but we have, as yet, received no reply from either. We will update the story if and when we hear back.

Copyright 2021 Associated Press. All rights reserved.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/indian-transport-ministry-flaws-potentially-allowed-creation-of-counterfeit-driving-licenses

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cyberattack that ultimately led to the breach of several U.S. officials’ email accounts was the result of a China-based threat actor accessing a...

Cyber Security

Actors linked to adversarial nations — namely China and Russia — worked across platforms to push inaccurate content, according to a report released Tuesday....

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The Cybersecurity and Infrastructure Security Agency advocates constant communication and education as cyber threat mitigative measures. The Cybersecurity and Infrastructure Security Agency released its...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO