Examination of the leaked source code unveiled that it contained references to the NIC SMS Gateway GUI portal, potentially granting unauthorised individuals the ability to send messages to citizens. (Representational image: News18)
Cybersecurity firm CloudSEK said the breach, which was discovered on August 2, has unveiled the illicit sharing of the source code of the website of the ministry of road transport and highways
In a startling revelation, cybersecurity firm CloudSEK’s XVigil AI digital-risk platform has brought to light a significant breach involving the website for the integrated road accident database of the ministry of road transport and highways.
According to CloudSEK, the breach, which was discovered on August 2, has unveiled the illicit sharing of the source code of the website on an underground cybercrime forum, also known as the dark web. In its report, the cybersecurity firm stated: “Our source was able to obtain the source code, totalling 165 MB in size. Most of the code is written in PHP.”
“We have found several sensitive assets embedded in the code. The code contained hostnames, database names, and passwords. The usernames and passwords used in the source code were quite simple and could be prone to brute-force attacks with local access to the server,” the report added.
Further examination of the leaked source code has also unveiled that the code contained references to the NIC SMS Gateway GUI portal (sms.gov.in), potentially granting unauthorised individuals the ability to send messages to citizens. Embedded URLs contained fields for usernames and passwords, raising the spectre of unauthorised access.
According to the researchers: “On August 7, the same threat actor made another post sharing a sample dataset of the 10,000 users of the website. The post also mentions that structured query language (SQL) injection was used to obtain the data from the vulnerable API endpoint, which at the time of writing the report, is still accessible.”
As per the post, the header contains details like id, office_id, name, email, regno, active, mobile, ps_code, remarks, password, username, created by, dept_code, role_code, state_code, designation, created_date, old_password, password_enc, district_code, email_verified, mobile_verified.
“Our source could verify some of the mobile numbers and the names mentioned in the sample dataset against Truecaller and they matched. The sample data also contains government officials’ email IDs and clear text passwords,” the report added.
The researchers said the leaked information might be used to get first access to the website’s infrastructure, account takeovers may be possible if the leaked credentials are not encrypted and passwords that are frequently used or are weak may be vulnerable to brute force assaults. This would provide bad actors with the information they need to exfiltrate data and remain persistent.
CloudSEK, however, said the road transport ministry was informed about the breach and was urged to take immediate action to secure the iRAD website and safeguard sensitive user data. News18 has learnt that the cybersecurity firm works closely with CERT-In also and they inform them about each vulnerability. It is also understood that based on the details of the report shared by CloudSEK, the government has taken necessary actions.