A French security researcher has exposed the Telangana government's benefit disbursement portal's 'TSPost' vulnerabilities, biometric details of millions of beneficiaries were laid bare.
The researcher, Baptiste Robert, whose Twitter handle goes by ‘Elliot Alderson’, has been trying to prove that the Aadhaar database is highly vulnerable to basic SQL (structured query language) injection, a common web hacking technique.
For exposing the flaw, he used SQL code to attack the back-end database of Telangana disbursement portal and get access all the confidential information.
The portal had the Aadhaar details of 56 lakh beneficiaries of NREGA and 40 lakh of social security pension (SSP).
Robert said, “In theory, a government website is very secure, but in India, it’s another story. http://tspost.aponline.gov.in is vulnerable to a basic SQL injection that allows an attacker to access the database of the website. To be clear, all the data on this website can be a dump. Telangana government officials say they are working on to fix it. For this website, they have to hire decent web developers to protect it from attacks.”
The researcher used a social media platform, Twitter, to mock the way government officials dealt with the vulnerability that he had found. He tweeted,” I don't know if I have to laugh or cry. http://tspost.aponline.gov.in owners fixed the issue by putting offline the website.”
While, a TSPost official said, “We are working on fixing the vulnerability after it was reported to us. It was online due to certain dependencies. We have taken off the site from the web, and we hope by Tuesday evening we will be able to set it right,”
Satish, COO of TSPost, said, “Our technical team is working on it. We can give an update on Tuesday.”