Amid raging debate surrounding Aadhaar data security, another major breach has come to light.
A French security researcher Baptiste Robert, who goes by 'Elliot Alderson' on twitter, on Sunday lay open Telangana government's benefit disbursement portal 'TSPost' exposing biometric details of a huge number of beneficiaries.
In theory, a government website is very secure but in #India it's another story...https://t.co/88CKv3hM9q is vulnerable to a basic SQL injection...ðÂÂÂÂ¤¦âÂÂÂÂÂÂÂÂï¸ÂÂÂÂ pic.twitter.com/3x1lX1mCUp— Elliot Alderson (@fs0c131y) February 25, 2018
Elliot used a basic hacking technique to break through the security wall. In theory, a government website is very secure but in #India it's another story...
http://tspost.aponline.gov.in is vulnerable to a basic SQL (structured query language) injection," he wrote on twitter.
"To be clear, all the data on this website can be a dump. Telangana government officials say they are working on to fix it. For this website, they have to hire decent web developers to protect it from attacks," he further added.
The researcher said that he tweeted the breach only after a "reasonable delay" after reporting the matter to the site owners.
The site officials, however, fixed the breach by putting the system in offline mode. Elliot tweeted in the evening: "I don't know if I have to laugh or cry. http://tspost.aponline.gov.in owners fixed the issue by putting offline the website."
A TSPost official, while talking to the paper, said that the site is expected to get back by Tuesday evening.
Later, in an official reply to Outlook, Commissioner of Research and Development, Telangana government issued a clarification.
"The portal which was accessed by the researcher is the old website (www.tspost.aponline.gov.in) which is not in operation after the bifurcation of the State i.e. after 2 nd June 2014. However, the reports can be viewed for the purpose of with respect to the old wage payments which were disbursed under the scheme. Then, it is migrated to a new portal i.e.www.tspost.tsonline.gov.in for the Telangana State Government which is completely secured.
"When the issue was brought to the notice of service provider, the website was verified and it was noticed that the researcher had only “viewed” the data while accessing the website as no other operations can be done by the public as the website is secured. Also, the website has been closed after the issue has come to light."
This comes at a time when several data breaches have been reported from different quarters of the country.
An investigative report titled "Rs 500, 10 minutes, and you have access to billion Aadhaar details"by The Tribune had revealed that details of Aadhaar is easily accessible, that too just by paying Rs 500.
According to the newspaper, its reporter purchased a service by anonymous sellers on WhatsApp and paid Rs 500 via Paytm to an agent of the group running a racket. The agent then created a “gateway” for the reporter and gave a login ID and password, thus giving unrestricted access to details, including name, address, postal code (PIN), photo, phone number and email, of more than 1 billion Aadhaar numbers submitted to the UIDAI, the Aadhaar issuing body.