HYDERABAD: In yet another shocking incident exposing security flaws in critical Indian websites, portals belonging to the Indian Railways and their zonal offices were found to be vulnerable to basic SQL (Structured Query Language) injection. However, much to the organisation’s relief, only non-sensitive tender related documents were found to be exposed.
The security flaw was brought to light by two French security researchers, who were merely challenging each other to find security flaws in Indian government websites. Indian Railways claimed to have fixed the vulnerability after they were alerted by Express. The security flaw allowed any hacker to use SQL injection vulnerability to hack these websites containing tender related documents uploaded to the website by zonal officials.
The main website of the Indian Railways, indianrailways.gov.in was also found to be vulnerable to Cross-site scripting (XSS) that enables an attacker to “inject client-side scripts into web pages viewed by other users”. The websites belonging to South eastern railways, Central Organisation For Railway Electrification, North Central Railway, Diesel Loco Modernisation Works, Metro Railway Kolkata were among the few that were vulnerable.
“There was nothing exposed. Only what was meant to be exposed was exposed. The bidding documents are in a secure application. This is a website where tender docs are uploaded. There was no loss of data,” said a senior official with the Indian Railways who did not wish to be named, on Tuesday.
Robert Baptiste, the French Security researcher who goes by the pseudonym, Elliot Anderson, on May 3, 2018, tweeted to the official Ministry of Railways Twitter handle. He was contacted by officials from the Centre for Railway Information Systems (CRIS), the arm of the Indian Railways that maintains most of its important information systems, the following day. The CRIS as on May 6, fixed the vulnerabilities.
“He has not found anything really damaging. These are not transactional applications, like passenger reservation, ticketing, freight operation, procurement. They are under a different class of protection. These websites that were found vulnerable to SQL injection allow all our different units to upload documents on a regular basis, it’s possible that all of them do not follow the cybersecurity procedures to the teeth. So they upload documents without following protocols, that may lead to SQL type of vulnerabilities,” said the Railway official. The Indian Railways does regular audits and will soon be undertaking another regular audit. The French security researcher who found the vulnerability came across the security flaw “by doing simple, very basic test” and did it to prove a point to Baptiste.
“Robert Baptiste told media in France that French government websites are not secure and that Indian websites are better, am sure he was only joking but after that comment, I searched for big Indian government websites and chose Indian Railways and their sub-domains. It turns out that your different government sites and systems are rather poorly done,” said the French security researcher.
When asked how many websites related to railways were found vulnerable, he said, “Doing a simple search via google: site: http://indianrailways.gov.in can give you an idea. I think between 100 and 150 websites have this problem, maybe more. They all used the same content management system (CMS). I don’t have any interest to hack the Indian government. My reason for this action was just an ego-patriotic-trip and proving that your governmental websites were not secure,” he added.