Technology News

Security Researcher Found Loophole by Which to Send SMSes From Government IDs

This particular loophole has been fixed since this time, and can not be used.

By Gopal Sathe | Updated: 24 May 2021 14:06 IST
Security Researcher Found Loophole by Which to Send SMSes From Government IDs

Photo Credit: Pexels

Credentials revealed via GitHub could have been misused to send text messages

Highlights
  • Credentials to a government SMS platform were leaked on GitHub
  • Anyone could have sent messages from official IDs using this
  • The loophole was fixed by April owing to TRAI's changes in SMS rules
Advertisement

Publicly shared usernames and passwords for the government's SMS publishing platform meant that a malicious user could have used the official machinery to send text messages posing as the government. Sai Krishna Kothapalli, a security researcher in Hyderabad, found the credentials while searching through public repositories, but he says that this particular issue has now been mitigated thanks to an unrelated change to the SMS infrastructure.

In a blog post, Kothapalli explained how, while searching through the public repositories on the software development platform GitHub as a part of his research, he came across credentials which looked suspicious, because the project belonged to an Indian, and its URL is of a government service.

Kothapalli, the CEO of a security company called Hackrew, which has worked with the Government of Telangana, along with other government bodies, explored this further and found that you could not directly visit the URL. Instead, he then looked at the details to visit the website and found that it belongs to the National Mobile Governance Initiative, developed by the Centre for Development of Advanced Computing.

The service has been used by the government to send over 600 crore text messages every year to Indians, by both the centre and states. In his blog, Kothapalli explained that he then found documentation for the service online. Logging into the service was secured by an OTP, so this at least could not be misused.

However, Kothapalli also found an API for the service, which required three parameters to use — the username, password, and sender ID. Once again, he searched on GitHub, and found usernames and passwords — many of them, in fact.

“I was able to find 30+ credentials and required details to make these requests,” he wrote. “There are definitely more.” Interestingly, he found some security measures like an IP whitelist (allowing only users connected from an authorised list of IP addresses, to log in, even with the correct credentials), but only two of the 15 credentials he tested were using this security feature. If the government organisations had used this feature built into the system, he would not have been able to exploit the loophole even with the usernames and passwords.

Gadgets 360 wrote to the National Critical Information Infrastructure Protection Centre (NCIIPC) one week ago sharing Kothapalli's findings and asking if the agency was aware of the issue, and if it was taking any steps to prevent passwords and other credentials from being shared on Github, but have not received any reply.

Update: After the publication of this article, the NCIIPC responded to state the following: "1. We acknowledge the issue reported by you. 2. We are in the process of verification and remediation in coordination with the respective stakeholder(s) and look forward to your continued contribution."

We shall update this article on receiving a further reply.

What was the risk posed by this?

Sender ID is the header that tells you where a message has come from, such as VX-ViCARE, or TX-MYTSKY for example. Or something that sounds very official, such as ADHPGOVT.

sai SMS test sms test

A screenshot showing test messages using the publicly uploaded credentials
Photo Credit: Sai Krishna Kothapalli

Using this, Kothapalli was able to test the API, and send messages to himself, posing as the Himachal Government and the Election Commission. The potential for misuse of something like this is quite concerning. Official seeming messages that appear to come from the government could have been used to spread misinformation without anyone being any wiser.

“Imagine people receiving a message from the Election Commission of India that the election booth is closed or elections are postponed because of the COVID-19 pandemic,” Kothapalli wrote.

Switch to blockchain DLT for SMS also fixed this loophole

This particular security flaw has been fixed by now, so that even with leaked credentials, the potential for misuse is now much lesser. According to Kothapalli, he discovered the flaw in February, but did not explore it in depth at the time. When he came back to it in May, he found that he could no longer send messages.

This was because of a fundamental change that the Telecom Regulatory Authority of India (TRAI) introduced in March. At the time, it had caused a major disruption to the sending of OTPs from banks and other institutions because they had to create something called a template to send the messages. The new Distributed Ledger Technology (DLT) system is a blockchain-based registration system, and the rules, which were fully implemented from April 1, require that all messages being sent follow a predetermined template.

Kothapalli wrote, “Essentially, anyone can't send custom messages using the above-mentioned loophole anymore. Though TRAI's new system fixed a part of loophole, anyone can still send templated messages. This restricts the possibilities of scams and misuse.”

Even so, he warned that he might not have been the first person to discover the vulnerability, and that it was crucial to check if this has been misused before. “Government should ensure that the developers don't push credentials and other secrets to services like GitHub. Basic training should be given to those developers,” he added. “And by design, the CDAC API has IP whitelisting allowed. So it should have been enforced.”

This advice is equally true for private organisations as well, which have witnessed a string of breaches of ever increasing scale in the last year, with reports of breaches in Air India, BigBasketMobiKwik, and many more, all allegedly affecting millions of Indians.

What is the best phone under Rs. 30,000 in India right now? We discussed this on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: SMS, Blockchain, Spam, Security, GitHub
Spotify Premium Users Can Now Download Music for Offline Listening on Apple Watch
India Biodiversity Portal Is Documenting Every Species in the Country and Everyone Can Take Part

Related Stories

Security Researcher Found Loophole by Which to Send SMSes From Government IDs
Comment
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News
 
 

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi

Advertisement

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Nothing Ear, Nothing Ear A With Up to 45dB ANC Debut in India: See Price
  2. iPhone 17 Plus Tipped to Arrive With A Slightly Smaller Screen
  3. Ray-Ban Meta Smart Glasses: Versatile and Practical
  4. Huawei Pura 70 Ultra, Huawei Pura 70 Pro+ Launched: See Price
  5. Apple's Rumoured 12.9-Inch iPad Air May Arrive With This Display Upgrade
  6. HMD Unveils The Boring Phone With No Access to Internet
  7. Google Maps to Show EV Charging Stations, Public Transport Options Soon
  8. Microsoft's New AI Video Model Can Generate Eerily Realistic Videos
  9. Vivo V30e Set to Launch in India Soon; Specifications, Colurways Teased
  10. Nothing Phone 2 Gets NothingOS 2.5.5 Update With ChatGPT Integration
#Latest Stories
  1. Meta Llama 3 AI Models With 8B and 70B Parameters Launched, Said to Outperform Google’s Gemini 1.5 Pro
  2. Apple Tipped to Equip Purported 12.9-inch iPad Air Model With Mini LED Screen
  3. New OTT Releases This Week: Rebel Moon Part 2, Article 370, All Indian Rank and More
  4. Google Maps Makes It Easier to Find EV Chargers, Search Now Shows Sustainable Travel Options
  5. Nothing Phone 2 Receives NothingOS 2.5.5 Update With ChatGPT Integration, UltraXDR and More
  6. Snapchat to Display Watermark on Images Created Using Snap's Generative AI Tools
  7. Wayve Lingo-2 AI Model With Autonomous Driving Capabilities, Ability to Take Passenger Instructions Showcased
  8. Redmi 13 5G Model Numbers Surface Online; Could Debut in India as Poco M7 Pro 5G
  9. Moto Buds, Moto Buds+ With Dynamic ANC, Hi-Res Audio Launched: Price, Specifications
  10. Android 15 Could Include App Quarantine Feature to Protect Users From Malicious Apps: Report
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »