French security researcher Robert Baptiste who goes by Elliot Anderson on Twitter has been revealing cybersecurity flaws in the Indian scene for a while now. This time, he has reported a vulnerability on the India Post server that allows remote code execution.
Baptiste has in fact reported this flaw in place of an Indian researcher who chose to remain anonymous because of legal implications in face of Indian law.
The subdomain of India Post — digitization.indiapost.gov.in — was vulnerable to an Apache vulnerability i.e. CVE 2017-5638. It meant that the attacker would be able to run code on India Post server, as shown below:
The flaws led to exposed bank details of employees as well as databases of sensitive information. He posted several screenshots of the files he was able to access by exploiting the flaw.
He also revealed that he was not the first person to exploit these flaws and posted screenshots that show activity from almost a year ago on 14th April, 2017.
The vulnerability has since been fixed, leading to Elliot Anderson tweeting out the details of this recent hack.
Baptiste has in fact reported this flaw in place of an Indian researcher who chose to remain anonymous because of legal implications in face of Indian law.
The subdomain of India Post — digitization.indiapost.gov.in — was vulnerable to an Apache vulnerability i.e. CVE 2017-5638. It meant that the attacker would be able to run code on India Post server, as shown below:
The flaws led to exposed bank details of employees as well as databases of sensitive information. He posted several screenshots of the files he was able to access by exploiting the flaw.
This server contain a lot of interesting files: Contract_Data2018-03-05.xls, Customer Advance Balance2018-03-05.xls, CustomerBookings2018-03-05.xls, OfficeSpecificData2018-03-05.xls, Bank Master2018-03-05.xls, ...https://t.co/EH0846azge— Elliot Alderson (@fs0c131y) March 11, 2018
He also revealed that he was not the first person to exploit these flaws and posted screenshots that show activity from almost a year ago on 14th April, 2017.
For the record, I was not the 1st. Someone created 3 files on 13-04-2017 in order to exploit the vulnerability. pic.twitter.com/lgiIjePnHB— Elliot Alderson (@fs0c131y) March 11, 2018
The vulnerability has since been fixed, leading to Elliot Anderson tweeting out the details of this recent hack.
As the issue is now fixed, I can disclose the details of the @IndiaPostOffice vulnerability.— Elliot Alderson (@fs0c131y) March 11, 2018
