Government Sites Said to Have Critical Vulnerabilities; NCIIPC and CERT-in Step In: Reports

The vulnerabilities reportedly exposed sensitive files, credentials, and police FIRs.

Advertisement
By Shayak Majumder | Updated: 22 February 2021 19:36 IST
Highlights
  • Sakura Samurai researchers’ collective spotted the lapses
  • US DoD Vulnerability Disclosure Program was involved to raise concerns
  • NCSC says remedial actions have been taken
Government Sites Said to Have Critical Vulnerabilities; NCIIPC and CERT-in Step In: Reports

The critical issues included over 13,000 identifiable information instances

Photo Credit: Pexels/ Mati Mango

Security researchers said they found thousands of critical vulnerabilities in dozens of government-run Web services, more than half of which reportedly belonged to state governments. Most of the services had multiple issues that included exposed credentials, leaks of sensitive files, and existence of known bugs. If exploited, these lapses could reportedly lead to deeper access within the government network, as per the researchers. The issues had been brought under the notice of the National Critical Information Infrastructure Protection Centre (NCIIPC) earlier this month. Now, a top official from the National Cyber Security Coordinator (NCSC) said that “remedial actions” have been taken.

The details of the compromised services were not made public as a security measure. However, many government departments are still catching up on security measures, particularly at the state level. But obviously, different departments have different threat profiles.

The collective of researchers, who call themselves Sakura Samurai, reached out to the NCIIPC in early February. However, the flagged issues remained unresolved for over two weeks, as per a report by Hindustan Times.

On February 20, Sakura Samurai member John Jackson published a blog detailing the breach and how the US Department of Defense Vulnerability Disclosure Program (DC3 VDP) had to be involved to help the Indian cyber-security wing to take notice. The report suggests that the delay in action could have resulted in bad actors accessing sensitive information and conduct disruptive operations against government servers.

Advertisement

The critical issues found in the government Web services included exposed credentials that could allow unauthorised access for hackers. Apart from that, Jackson and his team wrote that they discovered 35 instances of credentials pairs (that can be used to authenticate to a target), three instances of sensitive files, dozens of police FIRs, and over 13,000 identifiable information instances. Potential lapses were also discovered that could compromise extremely sensitive government systems. Team Sakura Samurai tested gov.in systems as part of the Responsible Vulnerability Disclosure Program (RVDP) run by NCIIPC. RVDP allows developers, researchers, and security professionals to report issues of potential information security risk to companies and countries.

Jackson explained in the blog, “Even though the Indian Government has a RVDP in place, we didn't feel comfortable disclosing the vulnerabilities right away. The hacking process was far from the standard situation of business-as-usual security research. In total, our report compounded to a massive 34-page report worth of vulnerabilities. We knew that our intent was good, but we wanted to ensure that the US Government had eyes on the situation.”

Advertisement

Sakura Samurai then co-ordinated with the DC3 VDP to assist in facilitating the initial conversations. On February 4, the US body tagged NCIIPC in a tweet, saying, “Check your email and let's chat.”

The NCSC opened a communication channel with Jackson and his team on Sunday. National Cyber Security Coordinator (NCSC) Lt Gen Rajesh Pant told Hindustan Times that necessary actions were taken. “Remedial actions have been taken by NCIIPC (National Critical Information Infrastructure Protection Centre) and Cert-IN (Indian Computer Emergency Response Team)… NCIIPC handles only the Critical Information Infrastructure issues. In this case the balance pertained to other states and departments that were immediately informed by CERT-In. It is likely that some action may be pending by users at state levels which we are checking.”


Does WhatsApp's new privacy policy spell the end for your privacy? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Affiliate links may be automatically generated - see our ethics statement for details.
 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Oppo K13 Turbo Series Launched in India With Built-In Fan, 7,000mAh Battery
  2. Lava Blaze AMOLED 2 5G Launched in India With This Price Tag
  3. Realme P4 Series To Launch in India On This Date; Price Range Revealed
  4. You Can Now Use Grok 4 AI Model for Free, No Need for Subscription
  5. Tecno Spark Go 5G India Launch Date Revealed: Check Features, Availability
  6. HTC Wildfire E4 Plus With 50-Megapixel Camera Launched: See Price
  7. Apple Could Launch an OLED MacBook Pro With These Major Upgrades by 2027
  8. Oppo K13x 5G Review
  9. Oppo K13 Turbo Series Launching Today: Everything You Need to Know
  10. Oppo Enco Buds 3 Pro Debut in India With Up to 54 Hours of Battery Life
  1. Tesla Opens First Experience Centre in New Delhi’s Aerocity; Four V4 Superchargers Established On-Site
  2. OpenAI Increases GPT-5 Thinking Usage Limit After Backlash from Users, But There's a Catch
  3. Apple MacBook Pro With M6 Chip, OLED Display Launch Expected by Early 2027: Mark Gurman
  4. iQOO 15 May Soon Launch With 7,000mAh Battery, Vivo, Samsung, Xiaomi
  5. Vivo Vision Mixed Reality Headset Launch Confirmed by Official; to Arrive as Apple Vision Pro Competitor
  6. Oppo Enco Buds 3 Pro Launched in India With Up to 54 Hours of Total Battery Life: Price, Specifications
  7. Microsoft Quietly Launches Copilot 3D as Experimental Feature, Turns 2D Images into 3D Models
  8. Lava Blaze AMOLED 2 5G With MediaTek Dimensity 7060 SoC Launched in India: Price, Specifications
  9. iQOO 15 Arrival Teased Again as iQOO Readies Launch of Next Flagship Smartphone
  10. HTC Wildfire E4 Plus With 50-Megapixel Camera, 4,850mAh Battery Launched: Price, Specifications
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.