Security flaws in India Post’s portals meant for official use have exposed bank account details of employees as well as a database of sensitive customer and vendor information to cyber attacks.
The attacks were carried out using a flaw in Apache Struts. Apache Struts is a Java platform used by the Department of Posts to develop Java applications. The database was also found to contain a malicious file that was uploaded by hackers in 2017 with the intention of taking over India Post servers. As of Saturday, India Post was still actively trying to fix the issue.
This security flaw, referred to as Apache Struts Vulnerability (ASV) resulted in the data theft of over 200,000 credit card details of over 140 million US customers from the financial services firm Equifax in 2017. This loss could have been prevented by a simple update.
India Post faces the same vulnerability as well as a few other cybersecurity flaws. However, when contacted by New Indian Express the organisation claimed there had been no data loss and downplayed the sensitivity of the data that was exposed to hackers.
The security flaw was found in the domain that contained a vulnerable Uniform Resource Locator (URL). India Post on Saturday confirmed that other URLs too had the similar security flaws.
“There was a Remote Code Execution (RCE) at India Post subdomain which is vulnerable to Apache Struts vulnerability,” Robert Baptiste, a French security researcher, told Express over Direct Messages on Twitter.
Baptiste had earlier exposed and helped resolve security vulnerabilities in the Telangana government’s National Rural Employment Guarantee Act (NREGA) beneficiaries’ website as well as in Bharat Sanchar Nigam Limited (BSNL). “I was not the first to exploit it. Someone has used it before. There were some malicious files created on their server. Someone has uploaded a shell on the India Post office server. They were created on April 13, 2017, and are still here,” he added.
Baptiste brought the issue to light on Twitter, as he has done regarding other Indian government sites in the past. On March 6 he tweeted : “Hi @IndiaPostOffice, can you contact me at DM or by mail? This is important,” but said he received no response.
On March 8, Express reached out to key officials at India Post. India Post then made contact with the ethical hacker three days after his tweet. On Saturday, India Post confirmed to Express that the security flaw that had only required an update had been resolved, however, the flaw resurfaced a few hours later and was again fixed after Baptiste’s intervention.
“The vulnerability makes it possible for a hacker to remotely execute code on the India Post computers. In Windows, the command DIR (a type of command) lists all the files and folders in the current folder. This allows the hacker to view, read, modify, download files and create folders on the India Post server,” said Baptiste, “I did not download the file for myself but by looking at the file names one can imagine the kind of data inside. “It seems to contains sensitive data such as bank accounts etc. RCE is the worst possible thing in security. You can do what you want and no, I didn’t dump the data,” he added.
The security flaw was actually detected by an Indian hacker first. This hacker, who spoke to Express on the condition of anonymity, said he had reached out to Baptiste fearing government backlash. “A few of my friends and myself have reported many bugs on government domains before but the response we got from them was very bad. A few of my friends got arrested just for reporting vulnerabilities. This is our present government standards,” the Indian hacker told Express.
“I gained access to the whole database and the files which consist of very sensitive data like bills, logins etc. The data which was on that server also consisted of logins, employee details, bills, customers information etc. If any outsiders upload a .php backdoor by exploiting this vulnerability they could modify all the user’s payment data etc. Few banking details were there in it. The vulnerability allows the hacker to change even billing details that can result in huge financial losses for India Post. I thought to leak all the data if they didn’t respond but instead reached out to Baptiste,” he added.
India Posts digital journey:
In 2013, India Post handed a Rs 11000 million, six-year contract “for an end-to-end IT modernization program to equip India Post with modern technologies and systems” to Tata Consultancy Services (TCS). Five years since, TCS has helped India Post set up network integration of post offices and also integrated financial systems aimed at computerizing the Savings Bank and Postal Life Insurance (PLI) operations of India Post through one central platform.
The Core Systems Integrator (CSI) project, under which the ASV was detected, has been rolled out in 65 Divisions and 25 other related offices, including the pilot, as on December 10, 2017, according to India Post Annual Report of 2017-18. The project is being developed and handled by TCS, as are other digital assets of India Post.
India Post downplayed the whole issue by saying, “The database just contained names of the post office, their levels, if they got closed, if there is a new post office, such kind of data. Such kind of data is available in the public domain.. There were no bank account details, there was nothing sensitive in the database. Some data is not available for the public or external stakeholders so in that way some data got exposed,” said KK Sharma, Managing Director, Center for Excellence in Postal Technology.
“Outside persons normally should not be able to get in, if Robert attempted and was able to get in it means there was some weak point from where he could enter,” he admitted.
When asked about the file names and the sensitive data the hackers have found in the database, the official replied saying,”Pan card details? I don’t think they should be there, that’s not supposed to be part of the network.”
“We have escalated to TCS, which is yet to get back with Root Cause Analysis (RCA). As it was a temporary arrangement, they might not have looked completely. Our website also is taken care by them. Technical work was under TCS. We are yet to make a final view on the issue so we are waiting for the RCA. They will submit the RCA, then if we feel they have not done properly, then we will take due action. No software is perfect from day one. We are thankful to Elliot (Baptiste) for pointing this out. If there are any more issues that need to be reported do contact us,” Sharma added.
Express contacted TCS for its response and will update this story when the organisation provides one.
What’s in the files?
Robert Baptiste showed KhabarLive the list of files that he retrieved from the India Post portal. These files were in an excel format.
The names of these files may be indicative of their content: accounts payables and receivables, bank master files, BeatMaster distinct employee numbers, budget balance details, customer advance balances, customer bookings, CustomerMasters, customer data, domestic vendor data, Point of Sales (POS) synch reports for several postal circles, aadhaar data from biometric readers collected by post officials, Electronic Billier details, Employee bank account numbers, pan card and aadhaar data of customers.
Who is Robert Baptiste?
Baptiste claims to be a French security researcher. He uses a Twitter handle @fs0c131y under the pseudonym Elliot Alderson. The pseudonym is a reference to the lead character on the popular television series Mr.Robot that chronicles the efforts a hacker with mental illnesses trying to destroy an evil corporation.
Baptiste came into the limelight in India recently after he started exposing security vulnerabilities in the Aadhaar and UIDAI’s mAadhaar application. He then went to expose security flaws in the Telangana government and BSNL websites.
When asked why he was so interested in Indian cyber security, Baptiste told Express that Indian cyber security researchers and hackers reached out to him on Twitter with information about security flaws on government websites.
Indian IT laws prevent researchers from tampering with source code and being outside Indian jurisdiction helps Baptiste avoid legal trouble in India.
Many have questioned his methods of fixing the security flaw by dumping details of the security flaws and his findings on Twitter. Baptiste responds to the criticism saying, he only seeks results, wants the problem fixed and “I take no money”. When asked for long he would stay interested in India he replied, “I don’t know I’m thinking to switch to another country soon,” However, 42 per cent of his Twitter followers are from India. #KhabarLive