Exploit demoBhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw. “The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user.” – Original Vulnerability Disclosure. See, for instance, here is the sample output for
xrange(1,10).Also, he was able to post comment as any user. For example,
What are the implications for Digital India?At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister’s app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone’s guess. With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed. What happens if a hacker publishes problematic information as another user? Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.
Founder at Aam Janata
Vidyut has a keen interest in mass psychology and using it as a lens to understand contemporary politics, social inequality and other dynamics of power within the country. She is also into Linux and internet applications and servers and has sees technology as an important area India lacks security in.
Latest posts by Vidyut (see all)
- Checking the latest provisional data from the Election Commission of India (with map) - June 8, 2019
- Comparison of Constituency-level “votes polled” & “votes counted” data #GeneralElections2019 #InteractiveMap - June 5, 2019
- A scathing indictment of the once respected, now suspected Election Commission of India - June 5, 2019