A critical vulnerability that exposed the personal details of VVIPs, including top industrialists, celebrities and sports personalities in the country, has been fixed by the Ministry of Corporate Affairs months after a cyber security expert flagged the issue.
Sai Krishna Kothapalli, founder & CEO of Hackrew Infosec, who came across the vulnerability by chance and flagged it to Computer Emergency Response Team, India (CERT-IN) on January 16, 2023, confirmed that the problem appeared to have been resolved after 10 months on December 20, 2023. However, suspecting theft or abuse of the sensitive data, he has called for an investigation.
Also read | Why ransomware attacks on Indian IT firms are a cause for concern?
It was during Pongal holidays last year that Mr. Sai Krishna while working on a security tool called “Eagle Eye” stumbled upon personal details such as Aadhaar, PAN, Voters Identity, Passport, Date of Birth, contact number, communication address etc of VVIPs. This vulnerability exposed the personal details of about more than 98 lakh Directors of Indian companies.
Freely available online
“This is a story on how personal data of prominent personalities like Ratan Tata, Mukesh Ambani, Gautam Adani, Shah Rukh Khan, Virat Kohli and many other influential people was freely available online due to a vulnerability in a government portal. Keeping the severity of such a data leak in mind, I immediately reported the matter to CERT-IN and requested that it be fixed as soon as possible,” Mr. Sai Krishna told The Hindu on Tuesday.
An alumnus of IIT-Guwahati, Mr. Sai Krishna said he was preparing a proof of concept for “Eagle Eye”, which was capable of detecting secrets and sensitive information from websites, when he visited the website of the Ministry of Corporate Affairs.
“The next day, I noticed something interesting while going through the logs. I didn’t realise the ‘Eagle Eye’ tool I was prototyping was running in the background while browsing the MCA website. That night, it picked something up. There was some PII [Personal Identifiable Information] like email and phone numbers that were in the HTTP response but not there in the rendered HTML. This means that the browser received some data that’s not shown anywhere on the screen,” he said.
Sensitive data
This was a generic type of vulnerability usually present in web/mobile applications. The server was sending more than necessary data. Sometimes, this could include sensitive data. “I was just as shocked. In front of my eyes, I had all the personal details of very important persons which were available for any individual or agency in India or abroad to access and even abuse. Such information is a jackpot for scammers. In a recent incident, scammers duped banks to the tune of ₹50 lakh just by using PAN numbers of some VIPs,” he said.
But what came as a rude shock to Mr. Sai Krishna was that despite passing on the alert to CERT-IN, the vulnerability remained for a few months. It took 11 months and 4 days for the critical issue that leaked personally identifiable information of approximately 98 lakh Indians, including many high net-worth individuals, to get resolved.
“There are a lot of companies openly selling the contact information [email and phone numbers] of directors online. I don’t know if this vulnerability has been exploited. I have requested for a thorough investigation,” he said.