Headline
Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses
Armed with personal data fragments, a researcher could also access 185 million citizens’ PII
Charlie Osborne 28 February 2023 at 14:15 UTC
Updated: 28 February 2023 at 14:51 UTC
Armed with personal data fragments, a researcher could also access 185 million citizens’ PII
A researcher has disclosed how he was able to access the personal identifiable information (PII) of potentially 185 million Indian citizens – and create counterfeit driving licenses to boot.
On February 20, student and cybersecurity researcher Robin Justin published a blog post containing the details of vulnerabilities impacting Sarathi Parivahan, the website for India’s Ministry of Road Transport and Highways.
The portal allows citizens to apply for a learner’s permit or driving license. Justin was attempting to apply for the latter when, within minutes, he stumbled upon endpoints with broken access controls and missing authorization checks.
‘Hiding in plain sight’
To authenticate, you only needed an application number and the applicant’s date of birth. However, an endpoint intended to check the application state was flawed, so an attacker could supply a random application number to learn the associated applicant’s date of birth, name, address, and driving license number – as well as pull up a photo of the individual.
Since brute-forcing random application numbers would be time-consuming, Justin explored the portal further and found a second vulnerable endpoint, which only required a phone number and a victim’s date of birth to access the application number.
YOU MIGHT ALSO LIKE Password manager security: Which is the right option for me?
A few minutes later, the researcher found a public domain feature that was meant to be restricted to administrators. The feature allowed Justin to access documents uploaded by an applicant – described by the researcher as a “critically vulnerable endpoint hiding quite literally in plain sight for all to use”.
He continued: “To attain maximum impact here, we ought to chain this vulnerable endpoint with the one we found earlier, which gave us the application number of an Indian user with just their phone number and date of birth. This ultimately gives us the ability to access sensitive personal documents of any Indian we know the phone number and date of birth of.”
OTProblem
This wasn’t the end of the story. After reporting the above vulnerabilities to India’s Computer Emergency Response Team (CERT-IN) and receiving no response, Justin found a poorly-secured one-time password (OTP) system for a SYSADMIN account.
He managed to log into the portal with this administrator account, granting him powers including applicant searches and document viewing. The researcher also had the option to process applications without in-person verification checks, approve requests to change license information, and access the PII of government staff working at regional transport offices.
“In a nutshell, I had direct access to critical documents like Aadhaar Cards and [the] passports of all 185 million+ Indians that hold a driver’s license,” the researcher noted. “I could’ve also generated as many valid government-approved driver’s licenses as I wanted.”
Read more of the latest government-related cybersecurity news
At this stage, Justin reported the additional vulnerability to CERT-IN. The researcher sent the initial report on November 7, 2022 and the second on December 5. Both reports have been marked as resolved, with fixes confirmed on January 25, 2023.
Speaking to The Daily Swig, Justin said that the research process was simple and that he hasn’t faced any adverse legal ramifications over his work.
He also said that no credit was offered by CERT-IN beyond an automated “Thank you for reporting this incident to CERT-IN” reply to the report upon initial triage. Feedback received was “limited to them letting me know how the reported vulnerability was fixed”.
The Daily Swig has reached out to CERT-IN and Sarathi Parivahan with additional queries but we have, as yet, received no reply from either. We will update the story if and when we hear back.
DON’T MISS Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption