This post is also available in: עברית (Hebrew)
Cyber security researcher Robin Justin published a blog post containing the details of vulnerabilities impacting Sarathi Parivahan, the website for India’s Ministry of Road Transport and Highways.
The portal allows citizens to apply for a learner’s permit or driving license. Justin was attempting to apply for the latter when, within minutes, he stumbled upon endpoints with broken access controls and missing authorization checks.
To authenticate, you only needed an application number and the applicant’s date of birth. However, an endpoint intended to check the application state was flawed, so an attacker could supply a random application number to learn the associated applicant’s date of birth, name, address, and driving license number – as well as pull up a photo of the individual, according to portswigger.net.
Justin was able to locate a public domain feature that was meant to be restricted to administrators. The feature allowed Justin to access documents uploaded by an applicant – described by the researcher as a “critically vulnerable endpoint hiding quite literally in plain sight for all to use”.
He continued: “To attain maximum impact here, we ought to chain this vulnerable endpoint with the one we found earlier, which gave us the application number of an Indian user with just their phone number and date of birth. This ultimately gives us the ability to access sensitive personal documents of any Indian we know the phone number and date of birth of.”
“In a nutshell, I had direct access to critical documents like Aadhaar Cards and [the] passports of all 185 million+ Indians that hold a driver’s license,” the researcher noted. “I could’ve also generated as many valid government-approved driver’s licenses as I wanted.”