A bad news for all the Indian License user for getting their data exposed from Government official website due to some bad vulnerabilities. After some news highlighted this issue I found a blog post which clearly mentioned how these things happen.
On Feb 20, A student and cybersecurity researchers Robin Justin Posted a blog which contain the details of vulnerabilities which impact the Sarathi Parivahan ( the Website where Indian People apply for Driving and other RTO application) which comes under the Guidance of India Ministry of Road Transport and Highways.
The Issues which they face where portal allows citizen to appy the learner’s license for driving . But when they faced issues after a minute then he got hit and went to the RTO but at the end of the RTO said there are some issues but it was resolved soon.
What was the Issue?
The Researcher found that, to authenticate any application you need application number and date of birth. However, at an endpoint intended to check the application state was flawed where an attacker could supply a random application number to learn the associated applicants date of birth, address and driving license number and name and even pull the photos of individual.
The researcher Justin just explored and found the second vulnerabilities which only require Phone number and the applicant Date of birth to access the applicant application number.
The third vulnerability found was the public domain feature which has been too restricted to the administrator. The feature allowed the researcher to access the document uploaded by any applicant.
He quoted lastly “ This may impact the personal information of the individual who ever applied or issued License from Sarathi Parivahan , The application Number has been retrieved by entering mobile number and date of birth which may have access to the application number then you can use application number and date of birth to access the applicants data which they uploaded on https://parivahan.gov.in/parivahan/ and here your personal data like name , Aadhar number, and all document which you uploaded.
This is not the END of the Problem
Even the whole scenario has been sent to the CERT-IN ( Computer Emergency Response Team- India ) and has not gotten a response from the other side . The researcher reached to the main issue which is a poorly-secured one-time Password (OTP system for a SYSadmin account.
Even he managed to login the portal of administrator account and granting him access of viewing applicant and their document. The researcher has been aslo the option to process application without any in-person verification checks, approved requests to change the license information and even gave access of PII of government staff working in regional transport officials.
The main issue is that anyone with this level of knowledge can get all the information about the Aadhar card and passport of 185 Millions + applicants who hold an Indian Driving License. Even that person can generate as much as a driving License they want without knowing anyone.
What happens after Reporting
After Reporting as the Justin sent the mail to CERT-IN and her sent in Nov 2022 but the response he never get but on Dec 5, 2022 he sent again to the official about the issue.
Finally on Jan 25 , 2023 the happy mail was received with confirmation of vulnerability resolved .
