Security Researcher Found Loophole by Which to Send SMSes From Government IDs

This particular loophole has been fixed since this time, and can not be used.

Security Researcher Found Loophole by Which to Send SMSes From Government IDs

Photo Credit: Pexels

Credentials revealed via GitHub could have been misused to send text messages

Highlights
  • Credentials to a government SMS platform were leaked on GitHub
  • Anyone could have sent messages from official IDs using this
  • The loophole was fixed by April owing to TRAI's changes in SMS rules

Publicly shared usernames and passwords for the government's SMS publishing platform meant that a malicious user could have used the official machinery to send text messages posing as the government. Sai Krishna Kothapalli, a security researcher in Hyderabad, found the credentials while searching through public repositories, but he says that this particular issue has now been mitigated thanks to an unrelated change to the SMS infrastructure.

In a blog post, Kothapalli explained how, while searching through the public repositories on the software development platform GitHub as a part of his research, he came across credentials which looked suspicious, because the project belonged to an Indian, and its URL is of a government service.

Kothapalli, the CEO of a security company called Hackrew, which has worked with the Government of Telangana, along with other government bodies, explored this further and found that you could not directly visit the URL. Instead, he then looked at the details to visit the website and found that it belongs to the National Mobile Governance Initiative, developed by the Centre for Development of Advanced Computing.

The service has been used by the government to send over 600 crore text messages every year to Indians, by both the centre and states. In his blog, Kothapalli explained that he then found documentation for the service online. Logging into the service was secured by an OTP, so this at least could not be misused.

However, Kothapalli also found an API for the service, which required three parameters to use — the username, password, and sender ID. Once again, he searched on GitHub, and found usernames and passwords — many of them, in fact.

“I was able to find 30+ credentials and required details to make these requests,” he wrote. “There are definitely more.” Interestingly, he found some security measures like an IP whitelist (allowing only users connected from an authorised list of IP addresses, to log in, even with the correct credentials), but only two of the 15 credentials he tested were using this security feature. If the government organisations had used this feature built into the system, he would not have been able to exploit the loophole even with the usernames and passwords.

Gadgets 360 wrote to the National Critical Information Infrastructure Protection Centre (NCIIPC) one week ago sharing Kothapalli's findings and asking if the agency was aware of the issue, and if it was taking any steps to prevent passwords and other credentials from being shared on Github, but have not received any reply.

Update: After the publication of this article, the NCIIPC responded to state the following: "1. We acknowledge the issue reported by you. 2. We are in the process of verification and remediation in coordination with the respective stakeholder(s) and look forward to your continued contribution."

We shall update this article on receiving a further reply.

What was the risk posed by this?

Sender ID is the header that tells you where a message has come from, such as VX-ViCARE, or TX-MYTSKY for example. Or something that sounds very official, such as ADHPGOVT.

sai SMS test sms test

A screenshot showing test messages using the publicly uploaded credentials
Photo Credit: Sai Krishna Kothapalli

Using this, Kothapalli was able to test the API, and send messages to himself, posing as the Himachal Government and the Election Commission. The potential for misuse of something like this is quite concerning. Official seeming messages that appear to come from the government could have been used to spread misinformation without anyone being any wiser.

“Imagine people receiving a message from the Election Commission of India that the election booth is closed or elections are postponed because of the COVID-19 pandemic,” Kothapalli wrote.

Switch to blockchain DLT for SMS also fixed this loophole

This particular security flaw has been fixed by now, so that even with leaked credentials, the potential for misuse is now much lesser. According to Kothapalli, he discovered the flaw in February, but did not explore it in depth at the time. When he came back to it in May, he found that he could no longer send messages.

This was because of a fundamental change that the Telecom Regulatory Authority of India (TRAI) introduced in March. At the time, it had caused a major disruption to the sending of OTPs from banks and other institutions because they had to create something called a template to send the messages. The new Distributed Ledger Technology (DLT) system is a blockchain-based registration system, and the rules, which were fully implemented from April 1, require that all messages being sent follow a predetermined template.

Kothapalli wrote, “Essentially, anyone can't send custom messages using the above-mentioned loophole anymore. Though TRAI's new system fixed a part of loophole, anyone can still send templated messages. This restricts the possibilities of scams and misuse.”

Even so, he warned that he might not have been the first person to discover the vulnerability, and that it was crucial to check if this has been misused before. “Government should ensure that the developers don't push credentials and other secrets to services like GitHub. Basic training should be given to those developers,” he added. “And by design, the CDAC API has IP whitelisting allowed. So it should have been enforced.”

This advice is equally true for private organisations as well, which have witnessed a string of breaches of ever increasing scale in the last year, with reports of breaches in Air India, BigBasketMobiKwik, and many more, all allegedly affecting millions of Indians.


What is the best phone under Rs. 30,000 in India right now? We discussed this on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.
Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: SMS, Blockchain, Spam, Security, GitHub
Gopal Sathe is the Editor of Gadgets 360. He has covered technology for 15 years. He has written about data use and privacy, and its use in politics. He has also written extensively about the latest devices, video games, and startups in India. Write to gopal@ndtv.com or get in touch on Twitter through his handle @gopalsathe with tips. More
Spotify Premium Users Can Now Download Music for Offline Listening on Apple Watch
India Biodiversity Portal Is Documenting Every Species in the Country and Everyone Can Take Part

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com