<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Software testing Archives « Aam JanataSkip to content

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

Bhavyanshu Parasher, a young computer science engineer took a look at Prime Minister Narendra Modi’s Android application (among popular apps he studied for his own research purposes). The Narendra Modi app had 500,000+ downloads at that time. He found a major security flaw in how the app accesses the “api.narendramodi.in/api” API.

At the time of disclosure, API was being served over “HTTP” as well as "HTTPS". "HTTP" was being served on older versions of the app. So people who were still using older version of the app were exposed to additional vulnerability. Data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted by MiTM attacks. Another bigger problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address) for any user and posting comments as any registered user of the app.

The magnitude of the seriousness of the loophole can be understood with the following exploit. The vulnerabilities have been fixed.

Exploit demo

Bhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw.

"The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user." - Original Vulnerability Disclosure.

See, for instance, here is the sample output for xrange(1,10).

Exploit Result
Extracted email addresses of first 10 users

Also, he was able to post comment as any user. For example,

Comment Exploit
Comment sent as user 4234
After this security flaw was exposed, Bhavyanshu and I made considerable efforts to draw attention of the Prime Minister's development team for improving the security, but it would be another three days before the API would stop leaking the information to whoever wished to use the security loophole. It is difficult to say who and how many people have already had access to the user data for all the users of the Narendra Modi app. "Why it took them so long to connect me with developers directly? This issue could have been resolved earlier. The email address provided on play store does not work. Government should find a way to create a direct communication channel between those who report flaws and the developers. They should adopt CVRF.", Bhavyanshu said.

What are the implications for Digital India?

At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister's app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone's guess.

With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed.

What happens if a hacker publishes problematic information as another user?

Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.