HYDERABAD: The State government’s Treasuries and Accounts department website is vulnerable to hacking attempts, if an underlying issue that has cropped up, is not mitigated as soon as possible.
The issue comes with the ‘treasury bill details’ webpage on the website of the Directorate of Treasuries and Accounts. Though the contents of the webpage are secure as of now, it is the security of the URL which is in question.
The link: treasury.telangana.gov.in/cybertry/index1.php?service=trebilldet is currently accepting random inputs to its address before returning an error.
Sources say the error arises because the website was allowing user input in the URL and not validating it.
Through this error, a hacker can use tools such as blind error-based Structured Query Language (SQL) injection or SQLMAP (an automated tool that detects flaws and takes over database servers) to determine the system’s vulnerabilities.
According to sources in the Directorate of Treasuries and Accounts, the department is investigating into the matter as of now. The vulnerability indicates the lack of a proper firewall, such as Cloudfare, which would check and validate inputs submitted in the URL, sources said. Sources said that although error-based SQL injection hacking method was tedious, and required a lot of trial and error to gain access, the same was not impossible.
It is important to note that in July, Express had brought to light another vulnerability in the Directorate of Treasuries and Accounts website. In that case, the website was leaking sensitive information like bank account numbers, tax-deductions, PAN and pension details of retired state government employees.