India’s Biggest Hack — 1100+ Security bugs in Indian Government Websites and Servers compromised
Summary:
I’m Karthikeyan V, Founder and CEO of Cappricio Securities, a cyber security firm situated in Chennai, Tamilnadu.
We are started to reveal the list of security flaws (bugs) discovered earlier while testing Indian government websites.
Because the impacted websites are from diverse departments and sectors of the core government, the Indian government websites mentioned above are just generalized here. This fatal issue might have a significant impact on our nation’s internet security measures.
As the leading government websites are prone to critical attacks, any third-party intrusion may bring the entire web application network down on a huge basis.
Report link(PDF):- https://karthithehacker.com/blogs/bugs-in-gov.pdf
About the Issue:
To further explain this problem, we have discovered approximately 1100+ bugs with priority categories of Low, Medium, High, and Critical.
The Low-priority bugs totalled 471, with open-redirect, CRLF injection, cache storage, server-version disclosure, server-status, and PHP info-files leaking being the most prevalent.
The Medium-priority bugs totalled 495, with the most prevalent being Zip-backup files (sensitive data such as DB Credentials, Backend Code, and more), PHP-backup files, reflected XSS, common CVEs, and so on.
The 87 High-priority bugs detected include Firebase data exposure, credential file disclosure, server config files, arbitrary code execution, local and remote file inclusion bugs, and SQL injection (injection). It allowed me access to all server-side sensitive data, including admin credentials, users’ sensitive data, and server privileges.
The Critical-priority bugs totalled 38, with remote-code execution, OS Command Injections, and other CVE-IDs being the most frequent. It provided me with complete access to the server.
Disclosure :
These security flaws can lead to a significant loss of application integrity.
I submitted these concerns to CERT-India, who responded, as our intended intentions are to maintain the applications securely.
It’s not easy to provide proofs of concept for over 1100+ security flaws. since the POC link was included in the report.
Disclaimer:
If a Black-Hat hacker comes across one of these loopholes, the outcome will be detrimental to Internet privacy.
Although some government websites are vulnerable to major vulnerabilities that have not yet been patched, some bugs have been concealed for privacy concerns.
I’m extremely grateful for keeping our nation’s web applications secure, and reliable and we strive hard to maintain the systems’ integrity.
Jai Hind!
Credits
Writer:- Karthikeyan K (CIO Cappricio Securities)
VULNERABILITIES DISCOVERED By:- karthithehacker (Karthikeyan.V)
