
Is Reserve Bank’s website vulnerable too? 

Mithun MK

HYDERABAD:  The official website of Reserve Bank of India (RBI) has been found to have an XSS (Cross Site Scripting) vulnerability. This is a very common type of vulnerability that allows an attacker to inject malicious code into the target website. When contacted, RBI at first said the issue had been resolved. However, security researchers, who pointed out the vulnerability in first place, challenged RBI’s claim by creating a pop-up box on its website with a message that read: “Hello Elliot, cross scripting is possible.”

On Tuesday, an RBI spokesperson told Express: “We do cybersecurity vulnerability tests on a regular basis. During our recent tests also we found nothing like that. Most websites have this XSS vulnerability, it’s there by default. The rbi.org.in is a public website, so all information on it is for public. It’s not a typical bank site that has sensitive information.”

The security flaw was first pointed out by an Indian cybersecurity researcher who goes by the Twitter handle @DedS6c on May 19. When he could not reach out to RBI, on Monday, he reached out to Robert Baptiste, a French security researcher who also tweeted to RBI. 

Baptiste responded to RBI downplaying the findings by inserting the pop-up box. After viewing the pop-up box with Baptiste’s message, RBI spokesperson said they will get the issue resolved. An RBI source in know of security vulnerability, said, “The pop-up window is not fetching any data from RBI’s system. Only a query sent from an outside link is flashing as a pop-up.”