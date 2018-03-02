HYDERABAD:The Telangana government on Wednesday responded to a story that appeared in these columns on February 27, 2018 titled, “Hacker exposes major security flaw in Telangana government’s NREGA website” clarifying that the TSpost portal that was hacked by the French researcher was not in use after June 2, 2014, and contained only reports with respect to old wage payments made under the scheme. However, a web archive of the website shows data as recent as August 2017.

On February 23, French security researcher Robert Baptiste laid bare on twitter the security flaw on the website and disclosed the aadhaar authentication keys (API keys) of UIDAI that he obtained through the website. The website went offline after Express sought an official comment from State IT department on Monday. “The said portal which was accessed by the researcher is the old website (www. tspost.aponline.gov.in) which is not in operation after the State bifurcation. However, the reports with respect to old wage payments can be viewed which were disbursed under the scheme,” said TS Information and Public Relations department in an email response to the story. But a web archive of the website that is no longer in existence shows NREGA payments data as recent as Aug 1, 2017. The website contained details related to aadhaar of those availing NREGA scheme in the state and their pension details.

The security flaw pointed out by Baptiste exposed their bank account and Aadhaar details. The website, hacked using SQL Injection, a common hacking technique, was designed, developed and operated by TSOnline, a division of APOnline, of AP. “This was a known website among Aadhaar researchers. The data from here was used last April to highlight the 36 per cent failure rate of Aadhaar biometric authentication. Them saying that the site was not in use and not being updated is incorrect,” said a security researcher who did not wish to be named.

The State publicity cell said the portal has migrated to a new address which is secure from such flaws. “The database cannot be manipulated as it is operated by a private IP address. The reports can only be viewed.” “When the issue was brought to the notice of service provider, the website was verified and it was noticed that the researcher had only “viewed” the data while accessing the website,” they added.