Cyber Security News

Indian Post Office Portal Leak Exposes Thousands of KYC Records

The Indian Post Office portal recently exposed the sensitive Know Your Customer (KYC) data of thousands of users due to a critical vulnerability known as Insecure Direct Object References (IDOR).

This alarming flaw allowed unauthorized individuals to access private user information, including Aadhaar numbers, PAN details, addresses, and other personal records, merely by manipulating numbers in the URL.

The Vulnerability Unveiled

A Security Researcher unveiled in Medium that an IDOR vulnerability occurs when a web application inadvertently allows users to access restricted information by altering parameters in the URL without proper authentication checks.

IDOR workingIDOR working
IDOR working

In this case, anyone with basic technical knowledge could retrieve sensitive KYC documents by incrementing or modifying document IDs in the URL, leaving confidential information unprotected.

For example, a sample request made to the Indian Post Office portal demonstrated how easily this data could be accessed.

POC Image

By sending a simple GET request without an authorization token, users were able to view sensitive information including user IDs, Aadhaar and PAN numbers, and links to downloadable KYC documents.

This lack of proper validation and authorization created a massive loophole for exploitation.

Sample Request and Response:

Request
text
GET /api/kyc/document?document_id=125678 HTTP/1.1 
Host: govportal.in
Response
json
{
  "status": "success",
  "document_id": "125678",
  "user_id": "345678",
  "name": "Rahul Sharma",
  "aadhaar_number": "XXXX-XXXX-1234",
  "pan_number": "ABCDE1234F",
  "kyc_document": "https://govportal.in/kyc_docs/125678.pdf"
}

The absence of authentication tokens made it possible to brute-force document IDs and retrieve the KYC records of other users, leaving critical personal data exposed.

Brute Forcing with ID

Ethical Disclosure and Swift Action

Upon identifying the vulnerability, the researcher followed ethical protocols:

  1. The issue was immediately reported to the Indian Post Office and relevant cybersecurity authorities.
  2. The researcher highlighted the potential risks stemming from this flaw, including identity theft, phishing scams, and misuse of government data.
  3. The vulnerability was also shared with the Computer Emergency Response Team (CERT-In), India’s leading cybersecurity incident response team.

CERT-In responded promptly, acknowledging the report and coordinating efforts to secure the affected systems.

Response from Cert-In

The Indian Post Office took swift action to address the issue, patching the vulnerability and securing its API endpoints.

Government platforms hold vast amounts of personal and financial data, making them prime targets for cyberattacks. A breach of this magnitude could lead to:

  1. Identity theft: Bad actors could misuse Aadhaar and PAN details for fraud.
  2. Phishing attacks: Access to personal data can enhance the effectiveness of scams.
  3. Legal repercussions: Mishandling KYC data risks violating privacy regulations under India’s impending Data Protection Act.

This incident highlights the urgent need for improved security measures in public sector platforms. Regular penetration testing, robust authentication protocols, and stronger API validations must be prioritized to prevent such breaches in the future.

The Indian Post Office’s proactive response and collaboration with CERT-In set an example of how organizations should handle disclosures responsibly.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security breach…

33 minutes ago

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay approximately…

1 hour ago

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

16 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

16 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

16 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

16 hours ago