BENGALURU, Karnataka —A vulnerability in the Uttar Pradesh State Road Transport Corporation (UPSRTC) website spotted by bug bounty hunter Avinash Jain, lead infrastructure security engineer at online grocery delivery store Grofers, put at risk the details of lakhs of customers who were using the site to book tickets.
Speaking to HuffPost India, Jain said that he had reported the vulnerability to the CERT-IN, who fixed the issue, but did not give any acknowledgement to him. It was only by sending multiple follow-up emails to the agency and testing the weakness that Jain was able to ascertain that any action was taken at all. This comes just months after the UP police arrested a group of hackers who had compromised the site to get free tickets.
Jain had earlier unearthed a similar vulnerability in the website of the IRCTC, which is still the biggest e-commerce destination in the country, with millions of people using the site to purchase tickets every single day. In that case, the vulnerability was in place for at least two years before it was flagged by Jain, and then closed. This UPSRTC incident, Jain said, highlights not just the simple vulnerability that put many people’s personal information at risk, but also the opaque processes that the government follows, making it harder for interested citizens to make an impact and help resolve issues.
In contrast, private companies offer public recognition on their websites, give gifts as tokens of appreciation, or even offer monetary rewards to people that point out weaknesses in their systems, said Jain, who has found bugs for companies such as MobiKwik, Hotstar and Google.
In the case of IRCTC, Jain simply received a mail from CERT stating that the vulnerability has been fixed. In the case of UPSRTC, Jain had to keep following up to find out what happened; while Google gave him a reward of $1,000, so it’s easy to see which systems are going to be tested by bug bounty hunters like Jain, and made more secure, and which vulnerabilities will remain undetected.
It’s not possible to determine the harm caused by the UPSRTC vulnerability, Jain said. “The vulnerability was there, and required fairly simple methods to gain access. And once that was done, anyone could get into their database, without leaving traces,” he said. “All the passenger information, like their names, mobile numbers, date of birth, the (partially masked) credit or debit card they used, all of this was available, and the username and password of the database admins was also stored in the same place.”
“This was encrypted, but at such a basic level having the default encryption that MySQL provides, that anyone with access to Google could figure out how to decrypt them, and access the information. In a nutshell, there was a SQL injection in a URL parameter, as there was not even the simplest protection there, an attacker can easily access the complete database and all the information lying inside it - customer PII data, DB passwords, logs, etc. Any malicious outside hacker could sell out the customer data in dark web or put it over social media/internet like many foreign hackers are doing with Aadhaar card and details”
Jain shared screenshots and logs that confirmed the details that he gave. The screenshots include various details from the database including email IDs, phone numbers, and birth dates.
Ironically, this vulnerability was disclosed just a few months after the UPSRTC was compromised by a group of ‘hackers’ who were using it to get free tickets. According to reports, a Uttar Pradesh Special Task Force (UPSTF) arrested four people who booked free online tickets/ reservation for buses on the UPSRTC website by compromising payment gateway traffic.
The ‘hackers’ were two B. Tech students, two school students, and one student doing a diploma course in a polytechnic college in Lucknow. The software mentioned in the report are simple things that can be found on Google, and don’t require any extensive training to use. The police told the Times of India that information about these vulnerabilities and bugs is being spread through WhatsApp groups.
The lack public disclosure by the government is a grave concern that Jain has been highlighting for some time now. “The Indian government doesn’t appreciate such efforts, which demotivates security researchers,” said Jain. “India has produced some great security researchers, but such talents are not recognised by the Indian government.”
When the government itself turns a blind eye to data breaches and security flaws, it’s perhaps no surprise that Indian companies have followed similar protocols. For example, FreshMenu saw the data of 100,000 users breached in 2016. The company chose not to disclose this because the breach was “limited”.