Skip to content

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

RNA Corp Pvt Ltd defaults, Bank of India takes possession of secured assets under Sarfaesi

RNA Corp Pvt Ltd, a prominent Mumbai based developer, has defaulted in its commitments to Bank of India. After Mantri Developers, RNA Corp is major developer who has failed to pay its dues.

Bank of India has issued a possession notice dated February 15, 2016 under the Securitisation & Reconstruction of Financial assets and Enforcement of Security Interest Act 2002 to RNA Corp Pvt Ltd and guarantor Chamber Construction Pvt Ltd on taking possession of  various assets given security. Assets include Flat/units admeasuring 8820 sq ft Kandivali, Mumbai, parcels of land admeasuring 46300 sq metres in Vasai, Thane and Flat at Sai Mansion,Cumballa Hill Road, Mumbai.

Total dues of Bank of India are about Rs 58.18 crore.

Total dues of State Bank of India are about Rs 62.00 crore.

RNA also enjoys loans from Axis Bank, Punjab National Bank, Reliance Capital Ltd, Reliance Home Finance Ltd and State Bank of India.

RNA_Corp._Defaults_Bank_od_India_

Bhavyanshu Parasher, a young computer science engineer took a look at Prime Minister Narendra Modi’s Android application (among popular apps he studied for his own research purposes). The Narendra Modi app had 500,000+ downloads at that time. He found a major security flaw in how the app accesses the “api.narendramodi.in/api” API.

At the time of disclosure, API was being served over “HTTP” as well as "HTTPS". "HTTP" was being served on older versions of the app. So people who were still using older version of the app were exposed to additional vulnerability. Data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted by MiTM attacks. Another bigger problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address) for any user and posting comments as any registered user of the app.

The magnitude of the seriousness of the loophole can be understood with the following exploit. The vulnerabilities have been fixed.

Exploit demo

Bhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw.

"The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user." - Original Vulnerability Disclosure.

See, for instance, here is the sample output for xrange(1,10).

Exploit Result
Extracted email addresses of first 10 users

Also, he was able to post comment as any user. For example,

Comment Exploit
Comment sent as user 4234
After this security flaw was exposed, Bhavyanshu and I made considerable efforts to draw attention of the Prime Minister's development team for improving the security, but it would be another three days before the API would stop leaking the information to whoever wished to use the security loophole. It is difficult to say who and how many people have already had access to the user data for all the users of the Narendra Modi app. "Why it took them so long to connect me with developers directly? This issue could have been resolved earlier. The email address provided on play store does not work. Government should find a way to create a direct communication channel between those who report flaws and the developers. They should adopt CVRF.", Bhavyanshu said.

What are the implications for Digital India?

At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister's app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone's guess.

With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed.

What happens if a hacker publishes problematic information as another user?

Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.

First of all, what is National Encryption Policy?

“Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption”. So DeitY has framed a draft of such rules which will decide the future of how encrypted services are to be used or provided to users in India. The preamble in the draft clearly shows that they very well understand what encryption is meant to be used for. What they fail to understand is how it helps secure communication between two entities. The problem lies in the strategies stated in the draft. Let us break the draft into parts and try to analyze how exactly they can possibly ruin encrypted services and also how it will affect you.

  • (III Objectives i)) states “to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”. This is perfect but then they contradict themselves by saying (IV Strategies 4), “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. Yeah, so what is wrong with this? Well, to answer this, let us take an example. You are currently using messaging services that encrypt data sent over network. You still have a sense of security that you can freely talk about things over the network without worrying that ISPs, private companies and the government are continuously monitoring/logging what you say. The problem arises when the private companies like your Internet service provider, government and even notorious hackers can misuse this data. What government has stated under “Strategies” is not exactly that but a different version of this. They don’t want to get rid of the encryption but want a backdoor access to the encrypted networks. This is not acceptable. By demanding this, they are putting critical data and infrastructure in danger. Why? Ask these questions to yourself. Can we trust the authorities to keep the keys and the data in “Plain text” safe from hackers? It is common that hackers target government organizations everyday to get their hands on information. Governments are easy targets for most hackers because they don’t invest enough resources in security. Can we trust the government employees with our data who can’t prevent hacks on government websites? The cost of such security breaches would be severe. Think if e-commerce companies are forced to keep currently encrypted data in plain text as well. Not challenging anyone’s security but knowing that hackers always find a way in, from experience, I can tell that I would probably never use e-commerce services again knowing they are storing critical data in plain text as well. Like me, many would not want to access such services ever. This will affect the economic growth. These services will lose users. If there is a security breach and hackers have access to data stored in “plain text”, people will think twice before using such services ever again. At least currently the data is encrypted. Even if hackers get in, there is still an extra layer of protection. They may or may not be able to decrypt the data easily. Of course it all depends on the methods used to encrypt such data. This is one of the major problems that I personally see with government asking services for back-doors.
  • (IV Strategies 5) states that “B/C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India”. The entity B is any business and commercial private or public bodies providing encrypted services and entity C includes every citizen. This is completely broken. They say that all information should be stored by concerned B/C entity for 90 days from the date of transaction. How can they expect citizens to store such information? What if the hackers hack into anyone under “C” entity and gets access to that information. In that case, who will be held responsible? Will the government take responsibility because they demand users to store such important information for 90 days? Moreover, they are clearly saying that they will be the ones to dictate what encryption algorithms to use and what should be the size of the key. This will cause problems to any business on the technical front. What if their business wants to use a different encryption algorithm because it suits their requirements better? Now the government will decide how you should do business and the technology used behind your encrypted network? That’s why this is completely broken.
  • The most absurd point, according to me, (IV Strategies 7), states that “Users within C group (i.e. C2C Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All citizens (C), including personnel of Government/Business (G/B) performing non-official/personal functions, are required to store the plain-texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”. This is a horrible strategy to propose. See, C group contains every citizen. So this clearly applies to communication between two citizens. Now let us take an example. I encrypt most of my emails with PGP and now according to the above stated strategy, the government can tell me to stop using PGP and use something else or they can also tell me to reduce the size of the key. This will only make my data more vulnerable. There is a reason why PGP exists. I use it so I can be sure that the email is only read by the person whom I grant access to. No matter what network it passes through, no one else will be able to read that data. I have this sense of security right now. The point 7 even takes away that from me.
  • (V Regulatory Framework 1), states that “while seeking registration, the vendors shall submit working copies of the encryption software/hardware to the Government along with professional quality documentation, test suites and execution platform environments”. This is very stupid. Why? See, if some xyz organization has some patented or closed source encryption technology, the government cannot just ask them disclose every detail of the encryption technology. The government will have to get a license from the organization to get each and every detail of how the encryption is implemented. Think about the cost. Secondly, the more problematic situation is that what if such details land up in the hands of competitors? Bam! that will expose your whole security infrastructure to competing company. That can happen. How can you rule out such possibility when you know more than one organization has all this information stored somewhere? Whom can you trust?
  • (V Regulator Framework 3), states that “The vendors of encryption products or service providers offering encryption services shall necessarily register their products / services with Government for conducting business in the country”. So most of the services will probably not wanna do business in India because of above stated reasons. Now you only decide if it’s going to affect the economy or not.
  • Lastly, (V Regulator Framework 5), states “Users in India are allowed to use only the products registered in India”. Well, say goodbye to VPN services. You see what they did there?

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

[Update - September 21]

New exemptions to DeitY policy
New exemptions to DeitY policy

All those who are saying that the proposed addendum exempts social media apps, messaging apps, etc., have clearly not read the addendum point 1 carefully. It states that “mass use encryption products” are exempted from the NEP. The “mass use encryption products” definitely does not include copyright crypto algorithms/proprietary encryption products owned by respective companies. So it does not clarify anything but only adds to the problems.

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

Originally published by Bhavyanshu Parasher here.

 

Monday, 9 March, 2015, Mumbai: Imagine you are enjoying dinner with your family at Golden Chariot restaurant, on the second floor of Goregaon's famous mall, The Hub. Suddenly, you see smoke. No, not the delicious smoke from a sizzler, but the black, rubbery-smelling smoke from a short-circuit. An uncontrolled blaze has broken out in the building. People are shouting, "Fire! Fire!" and stampeding in panic. But you are calm. You guide your family to the nearest door that says, "FIRE EXIT". But you are shocked to find that this door only leads to toilets and an enclosed room where drinks and junk are being stored! It does not lead to a staircase! You angrily start yelling at the Golden Chariot employees, asking where is the nearest genuine fire exit door that leads to a staircase. But nobody replies; people are running helter-skelter, the dimly-lit restaurant is filling up with thick smoke, and the temperature is rising.

1 False Fire Exit sign no 2 -- Golden Chariot

Photo 1: Activist Sulaiman Bhimani (right) shows a false Fire exit no. 1 in Golden Chariot restaurant. The fire exit has been illegally enclosed and converted into a storage area.

Then you see another large door in the same hall marked "FIRE EXIT". You push the door desperately, but the door does not open. It is locked! Your wife and children are depending on you, and you are wasting precious minutes by leading them into dead ends!

2 False Fire Exit no 3 -- Golden Chariot

Photo 2: Sulaiman Bhimani pushes Fire exit no. 2 in Golden Chariot, to show that the door is kept locked and will not open.

Finally, you all manage to run out of Golden Chariot restaurant, and reach the fire-exit staircase. You see other people going down the staircase, and you feel reassured that only two floors down, there is a door to exit the burning building.

But when you reach the ground floor, you are in for another shock: the door for going out of the building is chain-locked from outside! You can peep outside and shout, but the opening is too narrow to get out of!

3 Chained from outside -- Ground floor fire exit 2
Photo 3: On ground floor, one fire exit is chained from outside.

 

4 Chained from outside close up -- fire exit 2 at ground floor
Photo 4: A close-up showing the chain-locked door.

The crowd that is trapped with you is pushing, shoving and turning into a panicky stampeding mob. You all try running to another door, and this one is locked from within!

5 Chain locked -- Hub mall ground floor fire exit 1
Photo 5: Another ground-floor fire-exit, locked from inside. Imagine being trapped by this door while trying to escape a fire!

Many of the ways out of Hub Mall seem to be barred! By now, the boxes of goods and inflammable junk that are stored in the fire-exit by Big Bazaar in the basement have caught fire, and the stairwell is starting to feel like the chimney of a furnace! Thoughts of the 59 people who died in the Uphaar Cinema tragedy behind closed fire-exits flashes through your mind...

Is your family safe when it visits The Hub? On the contrary, it has been converted into an accident-waiting-to-happen. Next time you visit to Goregaon's Hub Mall, please take the trouble to walk around the fire-escape doors and walk up and down the stairwells. See for yourself how many fireexit doors are closed, and how many fire-exit passages have been encroached by greedy hoteliers and storekeepers.

Motivated by whistleblower Shaikh Fakhruddin "Fakhru" Junaid, who owns a shop on the second floor, RTI activists Sulaiman Bhimani and Krishnaraj Rao took such a walk on Saturday, and they took photographs of the hazards. Are the authorities aware of these hazards? Absolutely! Fakhru has been complaining to Mumbai Fire Brigade for the last two years, and the Chief Fire Officer's office has written to the Municipal Corporation noting the grave violations. The office of the Chief Fire Officer (CFO) reported various violations to MCGM on 14th November 2014.

CFO's letter: http://tinyurl.com/CFO-Golden-Chariot
Fakhru's letters to MCGM: http://tinyurl.com/Complaint-Golden-Chariot

Highlights of the CFO's observations:

  1. "In the north side landing on the second floor, the staircase landing was partially obstructed by keeping refrigerator and other things by the Golden Chariot restaurant and an unauthorized construction of the steel frame plywood sheet enclosure box for A.C. Unit and a steel ladder for access to the loft in encroached area of common passage by the Golden Chariot restaurant.
  2. "The common toilet block along with its approach passage and way to emergency exit of north side staircase was blocked for public use by illegally encroaching and utilizing it for restaurant activity by Golden Chariot Restaurant."
  3. "The amalgamation of two shop no. 23 and 24 along with its front common passage was done and merged it in the dining area by Golden Chariot restaurant without taking NOC and sanctioning the plan from the Fire Brigade Department."
  4. "In view of the above circumstances, I have to inform you that the MOH and Fire Brigade Department have already rejected the application for the trade licence of M/s Golden Chariot Hospitality Services Pvt. Ltd..."

Ok, so let's get this straight: Golden Chariot doesn't even have a licence to manufacture and serve food, but even then, it is not only serving food, but also alcohol. And it holds live performances!

6 Golden Chariot -- Happy hour and live ghazal
Photo 6: No licence to even serve food... but here they are, serving drinks and holding live performances!

However, the police sees fit to give this dangerous unlicensed restaurant a license to attract the public by holding live performances! See this police performance license: http://tinyurl.com/Performance-Golden-Chariot

Bear in mind, private house parties have been raided by cops, and named and shamed in the media for serving liquor and organizing an unlicensed performance for a single evening! So, the question arises whether the excise department and the police department is hand-in-glove with the restaurant owners? How come they have not cracked down on such blatant and continuing violations of various laws and public safety norms?

One must keep wondering… because yeh hai Mumbai, meri jaan!

Big Bazaar – a bomb in the basement

The story however does not end with Golden Chariot. Big Bazaar, which is situated in the basement of Goregaon’s Hub Mall, is another dangerous violator. Not only is it carrying on business illegally in the basement (a major MRTP violation), but further compounding the hazards, Big Bazaar has blocked numerous fire escapes with shopping carts, cartons of inflammable goods, and huge piles of garbage. See these photos taken on Saturday.

7 What lies inside Big Bazaar's fire exit

Photo 7: This Big Bazaar fire exit is filled with goods, weighing machines, etc.

8 Big Bazaar uses Fire Escape for storage and backroom operations
Photo 8: In this fire exit, Big Bazaar carries on backroom operations.

9 Fire escape of Hub Mall Big Bazaar -- obstructed and used for trade

Photo 9: This stairwell is used to store flammable junk, and backroom operations.

See many more high-res photos of Fire Safety Hazards of Hub Mall, Big Bazaar and Golden Chariot: http://tinyurl.com/Photos-Hub-Mall-Golden-Chariot

Journalists interested in knowing more may contact:
Fakruddin: 08879-414793
Jyoti Ladwal: 098-20-607950
Akash Dhupar: 099-20-752746
Human Rights & RTI Activist Sulaiman Bhimani 093-23-642081

ISSUED IN PUBLIC INTEREST BY
Krishnaraj Rao
9821588114
9821588114