Hacker exposes major security flaw in Telangana government’s NREGA website

The IT Department was notified of the security flaw on Friday and it initiated a scan and audit of all government web portals on Monday.

Published: 27th February 2018 04:03 AM  |   Last Updated: 27th February 2018 05:05 PM   |  A+A-

hacking, intelligence, chinese, computer, cyber,

Image for representational purpose only.

Express News Service

HYDERABAD: Is our data stored by government on its portals and databases safe? Not quite, proved an Italian hacker who broke into Telangana’s NREGA portal, purportedly to highlight the flaws in the security infrastructure.Independent security researcher Robert Baptiste hacked the State government’s website http://tspost.aponline.gov.in and released its API keys on social media. The security flaw exposed that sensitive details like Aadhaar number, bank account number and other details of those linked to the NREGA scheme in Telangana could be accessed by a hacker.

The IT Department was notified of the security flaw on Friday and it initiated a scan and audit of all government web portals on Monday. The website in question was taken down a few hours after Express reached out to government officials regarding the hack.Robert claims he has been researching and exposing loopholes in the Aadhaar architecture over the past few months. “In theory, a government website is very secure but in #India it’s another story. http://tspost.aponline.gov.in  is vulnerable to a basic SQL injection,” he tweeted on Friday.

SQL injection is the most-common web hacking technique where malicious codes are placed in SQL statements. “The website is vulnerable to a basic SQL injection. Thanks to that, you can access all database of this website,” Robert said in a communication with Express. Using the SQL injection process, Robert did not just access Aadhaar details from NREGA website, but was also able to gain access to API keys of UIDAI’s Aadhaar database.

Using API keys of Aadhaar, anyone can make a fake Aadhaar app and upload the same on Google Playstore. In August last year, a techie working with Ola was arrested by Bangalore police for doing just that.“The only way to check if Aadhaar data hosted by governments are misused is by checking the logs,” said a security analyst who did not wish to be named.

“India’s IT Act prevent’s Indian researchers from looking into source codes of government digital services to find system flaws. As a result, the work is mostly done by foreign researchers. The UIDAI does not even have a portal where people can report these problems.”Government spokesperson assured the issue was not serious.

“We often have security researchers reach out to us highlighting security flaws and we do take corrective action. This is not a serious issue when one security loophole is closed another crop up. We have looked into the matter and have initiated a scan of all government web portals,” said Konatham Dileep, Director-Digital Media, Department of Information Technology, Electronics and Communication.

What is SQL injection?

Its is a code injection technique that might destroy your database. SQL injection is one of the most common web hacking techniques.

What is API?

API’s can be described as a way to plug your website into another. The code made available is called the API and can be used to build tools and widgets that are called applications.

Stay up to date on all the latest Telangana news with The New Indian Express App. Download now
(Get the news that matters from New Indian Express on WhatsApp. Click this link and hit 'Click to Subscribe'. Follow the instructions after that.)


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the newindianexpress.com editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on newindianexpress.com are those of the comment writers alone. They do not represent the views or opinions of newindianexpress.com or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. newindianexpress.com reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp