HYDERABAD: Following an exclusive story reported by The New Indian Express about the security flaws in India Post's portals, the government-operated postal system responded, stating that the core system integrator of India Post is fixing those security flaws.
India Post also confirmed that another layer of security has been added by restricting the access to the intended users only.
Sir, Bugs noticed in DoP's non production domain https://t.co/rU60ja6IV3 are being fixed by our core system integrator. However another layer of security has been added by restricting the access to the intended users only.— India Post (@IndiaPostOffice) March 13, 2018
On Sunday, The New Indian Express had reported on the security flaws in India Post's portals meant for official use have exposed bank account details of employees as well as a database of sensitive customer and vendor information to cyber attacks.
The attacks were carried out using a flaw in Apache Struts. Apache Struts is a Java platform used by the Department of Posts to develop Java applications. The database was also found to contain a malicious file that was uploaded by hackers in 2017 with the intention of taking over India Post servers. As of Saturday, India Post was still actively trying to fix the issue.
This security flaw, referred to as Apache Struts Vulnerability (ASV) resulted in the data theft of over 200,000 credit card details of over 140 million US customers from the financial services firm Equifax in 2017. This loss could have been prevented by a simple update.
India Post faces the same vulnerability as well as a few other cybersecurity flaws. However, when contacted by New Indian Express the organisation claimed there had been no data loss and downplayed the sensitivity of the data that was exposed to hackers.
The security flaw was found in the domain https://digitization.indiapost.gov.in that contained a vulnerable Uniform Resource Locator (URL).
"There was a Remote Code Execution (RCE) at India Post subdomain which is vulnerable to Apache Struts vulnerability," Robert Baptiste, a French security researcher, told Express over Direct Messages on Twitter.
Baptiste had earlier exposed and helped resolve security vulnerabilities in the Telangana government's National Rural Employment Guarantee Act (NREGA) beneficiaries’ website as well as in Bharat Sanchar Nigam Limited (BSNL). "I was not the first to exploit it. Someone has used it before. There were some malicious files created on their server. Someone has uploaded a shell on the India Post office server. They were created on April 13, 2017, and are still here," he added.
Baptiste brought the issue to light on Twitter, as he has done regarding other Indian government sites in the past. On March 6 he tweeted : "Hi @IndiaPostOffice, can you contact me at DM or by mail? This is important," but said he received no response.
On March 8, Express reached out to key officials at India Post. India Post then made contact with the ethical hacker three days after his tweet.
The security flaw was actually detected by an Indian hacker first. This hacker, who spoke to Express on the condition of anonymity, said he had reached out to Baptiste fearing government backlash. "A few of my friends and myself have reported many bugs on government domains before but the response we got from them was very bad. A few of my friends got arrested just for reporting vulnerabilities. This is our present government standards," the Indian hacker told Express.
"I gained access to the whole database and the files which consist of very sensitive data like bills, logins etc. The data which was on that server also consisted of logins, employee details, bills, customers information etc. If any outsiders upload a .php backdoor by exploiting this vulnerability they could modify all the user's payment data etc. Few banking details were there in it. The vulnerability allows the hacker to change even billing details that can result in huge financial losses for India Post. I thought to leak all the data if they didn't respond but instead reached out to Baptiste," he added.
(With inputs from ENS)