HYDERABAD: Following allegations of data breaches due to hardcoded passwords in the Telangana State (TS) COP app, officials from the Telangana Police Technical Services wing suggested that the lapse might have occurred before the app’s release to users.

Hyderabad-based WINC IT was one of the developers of the application launched in 2018. Till the first half of 2023, Tata Consultancy Services (TCS) was the main system integrator, and later, it was taken over by Larsen & Toubro (L&T).

A senior official of the Technical Services wing told TNIE, “Usually, the developers use the hardcoded passwords during the development stage and secure them before releasing the app to the users.”

The discouraged practice of storing passwords as unencrypted plain text, known as hardcoded passwords, significantly elevates the risk of unauthorised access, particularly by malicious actors seeking to guess passwords.

Asked how the alleged hack could have happened, the official said, “This could have been done via the compromised system’s Application Programming Interfaces (APIs). One could have used a weaker API endpoint and then reached out to another application to get to the data.”

However, this is all guesswork as of now, and a thorough investigation is under progress, the official added.

APIs are mechanisms that enable two software components to communicate with each other.

The official asserted that no financial data has been leaked and that most of the information related to patrolling and monitoring on the TSCOP was not extremely sensitive data and could have been accessed via RTI.

To lure the buyers, the hacker reportedly posted the sample data on the platforms, including records of offenders, police gun licences and other law enforcement information. Information about police officers and stations, designations and images was also made available online for purchase.

The TSCOP is integrated with the standalone tool Face Recognition System (FRS) to aid investigation officers in the prevention of crime. It involves the identification of criminals or suspects.With regards to the hack of the Telangana State Police SMS service, the official said that the threat actor ‘Adm1nFr1end’ could not easily misuse the service to send false message alerts to the public. “Such messages need approval from the TRAI, which will not sanction permits if it is not through official communication. All of this is being done by miscreants to create a cheap sensation,” he asserted, adding the Technical Services wing also said that the SMS service has been defunct since 2022.

Even if there is a lapse, the leak would be confined to non-confidential data, the official highlighted. As of now, the Technical Services wing has taken control of all the department’s mobile applications and websites. “We are doing a vulnerability assessment and penetration test (VAPT) and have initiated checks on all platforms where there is a user interface,” the official said.

On security audits, he claimed that departmental checks have been more efficient than security audits, and the last such check was done nearly five months ago. “It is possible that the person looking into the check may have overlooked certain parts of the guidelines and there could have been a lapse,” pointed out the official.

Notably, this is the second major data breach that hit Telangana police after data of the citizen-friendly app, Hawk Eye, was breached on May 29.