On October 18th I was trying to register for an official matter in a government website abc.com. After uploading a few documents I clicked on the view uploaded file hyper link. After clicking on the hyper link I was able to see my Enrolment ID in the link.
Eg:abc.com/uploads/document/enrollment_id_1234
This poked my curiosity and I simply changed the enrolment_id_1234 to enrolment_id_1233.
I was surprised to see another persons documents when I changed the ID. This type of vulnerabilities are known as IDOR (Insecure Direct Object Reference)
What is an IDOR?
Insecure Direct Object Reference (IDOR) IDOR is a security vulnerability where an attacker can access, modify, or delete sensitive data in a web application by manipulating parameters, such as changing URLs. This happens when the application doesn’t properly validate or authorise user actions, allowing unauthorised access to objects.
What are the consequences of IDOR:
-Unauthorized Data Access
-Data Modification/Deletion
-Financial Loss
-Reputation Damage
-Legal Consequences
-Operational Disruption
-Data Exfiltration
-Compliance Violations
Steps to prevent IDOR:
1.Enforce proper authorization and authentication.
2.Avoid exposing direct object references to users.
3.Use parameterized queries for database interactions.
4.Implement strict input validation.
5.Keep logs and monitor for suspicious activity.
IDOR vulnerabilities can lead to data breaches and privacy violations, making it essential to address them in the development and testing phases of an application.
I have tried changing the enrollment_ID for multiple times and I was able to view different PII such as Aadhar card, Bank Passbook, Educational documents, Photos, contact numbers etc of all the people who have registered in that particular website.
This is really shocking and I immediately took advice from my Infosec friends and Community- InitCrew and reported it to the government. I immediately got response from them saying the bug is valid and mitigation procedures have been started.
After getting a positive response I did a happy dance with my friends and went back to my daily struggles.
How to report a bug to Indian Government ?
I’m sure you might be thinking how to report a bug in the government websites if you find. Here are few steps I have taken.
- Any kind of bugs or CVE’s can be reported to this team: https://nciipc.gov.in/index.html
- Make a POC (proof of concept) record video if you can.
- Fill the responsible disclosure form :https://nciipc.gov.in/documents/Vulnerability_Disclosure_Form.pdf
- Sent a mail to :rvdp [AT] nciipc [DOT] gov [DOT] in, with the POC and responsible disclosure form attached.
Summary
The bug that I found was very simple but very dangerous since it exposed the privacy and personal data of millions. PII (Personally Identifiable Information) getting exposed cannot be considered as a simple bug. It can lead to identity theft and many many privacy issues . Happy hacking ✌🏻
Connect with me on Linkedin
