Publicly shared usernames and passwords for the government's SMS publishing platform meant that a malicious user could have used the official machinery to send text messages posing as the government. Sai Krishna Kothapalli, a security researcher in Hyderabad, found the credentials while searching through public repositories, but he says that this particular issue has now been mitigated thanks to an unrelated change to the SMS infrastructure.
In a blog post, Kothapalli explained how, while searching through the public repositories on the software development platform GitHub as a part of his research, he came across credentials which looked suspicious, because the project belonged to an Indian, and its URL is of a government service.
Kothapalli, the CEO of a security company called Hackrew, which has worked with the Government of Telangana, along with other government bodies, explored this further and found that you could not directly visit the URL. Instead, he then looked at the details to visit the website and found that it belongs to the National Mobile Governance Initiative, developed by the Centre for Development of Advanced Computing.
The service has been used by the government to send over 600 crore text messages every year to Indians, by both the centre and states. In his blog, Kothapalli explained that he then found documentation for the service online. Logging into the service was secured by an OTP, so this at least could not be misused.
However, Kothapalli also found an API for the service, which required three parameters to use — the username, password, and sender ID. Once again, he searched on GitHub, and found usernames and passwords — many of them, in fact.
“I was able to find 30+ credentials and required details to make these requests,” he wrote. “There are definitely more.” Interestingly, he found some security measures like an IP whitelist (allowing only users connected from an authorised list of IP addresses, to log in, even with the correct credentials), but only two of the 15 credentials he tested were using this security feature. If the government organisations had used this feature built into the system, he would not have been able to exploit the loophole even with the usernames and passwords.
Gadgets 360 wrote to the National Critical Information Infrastructure Protection Centre (NCIIPC) one week ago sharing Kothapalli's findings and asking if the agency was aware of the issue, and if it was taking any steps to prevent passwords and other credentials from being shared on Github, but have not received any reply.
Update: After the publication of this article, the NCIIPC responded to state the following: "1. We acknowledge the issue reported by you. 2. We are in the process of verification and remediation in coordination with the respective stakeholder(s) and look forward to your continued contribution."
We shall update this article on receiving a further reply.
What was the risk posed by this?
Sender ID is the header that tells you where a message has come from, such as VX-ViCARE, or TX-MYTSKY for example. Or something that sounds very official, such as ADHPGOVT.
A screenshot showing test messages using the publicly uploaded credentials
Photo Credit: Sai Krishna Kothapalli
Using this, Kothapalli was able to test the API, and send messages to himself, posing as the Himachal Government and the Election Commission. The potential for misuse of something like this is quite concerning. Official seeming messages that appear to come from the government could have been used to spread misinformation without anyone being any wiser.
“Imagine people receiving a message from the Election Commission of India that the election booth is closed or elections are postponed because of the COVID-19 pandemic,” Kothapalli wrote.
Switch to blockchain DLT for SMS also fixed this loophole
This particular security flaw has been fixed by now, so that even with leaked credentials, the potential for misuse is now much lesser. According to Kothapalli, he discovered the flaw in February, but did not explore it in depth at the time. When he came back to it in May, he found that he could no longer send messages.
This was because of a fundamental change that the Telecom Regulatory Authority of India (TRAI) introduced in March. At the time, it had caused a major disruption to the sending of OTPs from banks and other institutions because they had to create something called a template to send the messages. The new Distributed Ledger Technology (DLT) system is a blockchain-based registration system, and the rules, which were fully implemented from April 1, require that all messages being sent follow a predetermined template.
Kothapalli wrote, “Essentially, anyone can't send custom messages using the above-mentioned loophole anymore. Though TRAI's new system fixed a part of loophole, anyone can still send templated messages. This restricts the possibilities of scams and misuse.”
Even so, he warned that he might not have been the first person to discover the vulnerability, and that it was crucial to check if this has been misused before. “Government should ensure that the developers don't push credentials and other secrets to services like GitHub. Basic training should be given to those developers,” he added. “And by design, the CDAC API has IP whitelisting allowed. So it should have been enforced.”
This advice is equally true for private organisations as well, which have witnessed a string of breaches of ever increasing scale in the last year, with reports of breaches in Air India, BigBasket, MobiKwik, and many more, all allegedly affecting millions of Indians.