French researchers highlight security flaws in Indian Railways portals

Exposing security flaws in critical Indian websites, portals belonging to the Indian Railways and their zonal offices were found to be vulnerable to basic SQL injection.

Published: 09th May 2018 05:58 AM  |   Last Updated: 09th May 2018 05:58 AM   |  A+A-

Express News Service

HYDERABAD: In yet another shocking incident exposing security flaws in critical Indian websites, portals belonging to the Indian Railways and their zonal offices were found to be vulnerable to basic SQL (Structured Query Language) injection. However, much to the organisation’s relief, only non-sensitive tender related documents were found to be exposed.

The security flaw was brought to light by two French security researchers, who were merely challenging each other to find security flaws in Indian government websites. Indian Railways claimed to have fixed the vulnerability after they were alerted by Express. The security flaw allowed any hacker to use SQL injection vulnerability to hack these websites containing tender related documents uploaded to the website by zonal officials.

The main website of the Indian Railways, was also found to be vulnerable to Cross-site scripting (XSS)  that enables an attacker to “inject client-side scripts into web pages viewed by other users”. The websites belonging to South eastern railways, Central Organisation For Railway Electrification, North Central Railway, Diesel Loco Modernisation Works, Metro Railway Kolkata were among the few that were vulnerable.

“There was nothing exposed. Only what was meant to be exposed was exposed. The bidding documents are in a secure application. This is a website where tender docs are uploaded. There was no loss of data,” said a senior official with the Indian Railways who did not wish to be named, on Tuesday.

Robert Baptiste, the French Security researcher who goes by the pseudonym, Elliot Anderson, on May 3, 2018, tweeted to the official Ministry of Railways Twitter handle. He was contacted by officials from the Centre for Railway Information Systems (CRIS), the arm of the Indian Railways that maintains most of its important information systems, the following day. The CRIS as on May 6, fixed the vulnerabilities.

“He has not found anything really damaging.  These are not transactional applications, like passenger reservation, ticketing, freight operation, procurement.  They are under a different class of protection. These websites that were found vulnerable to SQL injection allow all our different units to upload documents on a regular basis, it’s possible that all of them do not follow the cybersecurity procedures to the teeth. So they upload documents without following protocols, that may lead to SQL type of vulnerabilities,” said the Railway official. The Indian Railways does regular audits and will soon be undertaking another regular audit. The French security researcher who found the vulnerability came across the security flaw “by doing simple, very basic test” and did it to prove a point to Baptiste.

“Robert Baptiste told media in France that French government websites are not secure and that Indian websites are better, am sure he was only joking but after that comment, I searched for big Indian government websites and chose Indian Railways and their sub-domains. It turns out that your different government sites and systems are rather poorly done,” said the French security researcher.

When asked how many websites related to railways were found vulnerable, he said, “Doing a simple search via google: site:  can give you an idea. I think between 100 and 150 websites have this problem, maybe more.  They all used the same content management system (CMS). I don’t have any interest to hack the Indian government. My reason for this action was just an ego-patriotic-trip and proving that your governmental websites were not secure,” he added.


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on are those of the comment writers alone. They do not represent the views or opinions of or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp