An unsecured API in the Delhi Police online infrastructure exposed the entire system to malicious actors. The page could be queried without authorisation, potentially posing a critical threat. With this unsecured API, a malicious actor could have checked FIR details, added details to the criminal tracking database CCTNS, or send emails and SMS from the Delhi Police. In October, Bengaluru based security researcher Karan Saini informed the police, CERT-In (the nodal agency for reporting computer security incidents), and the NCIIPC RVDP (the rapid vulnerability disclosure program for the nodal agency for security in critical infrastructure), which acknowledged the issue, but then did not close the issue for many months.
The vulnerability was made possible through a flaw in the ZIPNET system, which was introduced in 2004, to share crime and criminal information in real-time. However, while being able to access existing records was a part of what ZIPNET was set up to do, the flaw that Saini found would also give the ability to modify given records.
In October, the RVDP team replied to Saini and acknowledged his report immediately, but there was no action after this. When Gadgets 360 approached these agencies in May, the unsecured API was still accessible, seven months after Saini had brought them to light. This meant that the entire digital infrastructure of the Delhi police was at risk for more than half a year — in which time if a malicious actor had discovered the flaw, they could do something like inserting your name and photos into the CCTNS criminals database, Saini explained.
“The API appears to belong to an internal application meant for use by the Delhi Police. A malicious actor could abuse this API to introduce entries into, or make fraudulent changes to existing entries in the CCIS, CCTNS and ZIPNET database systems,” Saini said. “A malicious actor could also abuse a particular endpoint on the API to send text messages from the ‘DPCRIM’ SMS short code, and further, even commandeer a legitimate email address on the delhipolice.gov.in domain for the purpose of sending fraudulent communication – such as a phishing or malware campaign. What is particularly worrying about the ability to send an email from the delhipolice.gov.in domain is that, in this case, it is not done by way of sender address spoofing — that which is caught by most if not all spam filters — but rather due to legitimate mail credentials embedded in a particular API endpoint.”
The CCTNS database is also being used to seed a number of facial recognition programmes used by police departments around the country, so it could potentially have been misused to harass innocent people; other vulnerabilities included sending communications from the official email and SMS distribution of the police, which could have been misused to spread misinformation and cause harm as well.
Based on Saini’s information, Gadgets 360 was able to get verification of the claims being made, and after confirming the problem, reached out to the RVDP.
After Gadgets 360 reached out to the agencies, the NCIIPC RVDP replied acknowledging the issue and resolved it in a few days. Saini has been able to confirm that the flaw has been patched, and is not affecting the safety and security of people any more.
“While the API is no longer accessible through its original location, it is important to ensure that adequate measures have been taken to safeguard its functions, wherever it has been moved,” Saini added. He also said it was unfortunate that the patch took so much time to put into place. In March 2019, Saini, along with Pranesh Prakash and Elonnai Hickok of the Centre for Internet and Society (CIS) also published a paper on the challenges with disclosing security vulnerabilities to the government, where he and his colleagues at CIS mention, “There is a noticeable shortcoming in the availability of information with regard to current vulnerability disclosure programmes and process of Indian Government entities, which is only exacerbated further by a lack of transparency.” In the paper, they have also written a series of measures that should be taken to improve the current situation.
Given the sensitive nature of the vulnerability, Saini did not want to share this information until the vulnerability was patched, yet it took several months for anything to be done, and ironically, Saini was not even informed about the patch being done. Even Google’s Responsible Disclosure timeline provides for a 90-day disclosure deadline, after which a researcher can disclose an issue, but here it took double that time for any action to be taken, without informing the researcher.
In a reply to Gadgets 360, the RVDP wrote, “The issue has been patched by the concerned authority, and the same issue reported by the security researcher was informed to the authority earlier in the month of October 2019.” It did not share any details on why this issue took so long to resolve, and Gadgets 360 confirmed from Saini that he was not informed about the patch.
Although the issue of the flaw itself is an important one, it also raises the fact that for security researchers who want to improve the security and robustness of India’s Digital infrastructure, there is often an uphill battle to have their work treated properly, which explains why many prefer to search for bugs in foreign software platforms, for which they are given recognition, and reward.
A Hyderabad-based researcher, who asked not to be named as he is working as a consultant for the government, told Gadgets 360 that this is not an uncommon situation. “Things have definitely improved a lot in the last five years or so as the importance of the Internet has become clear, but there’s still room for progress,” he said.
In an earlier interview, Avinash Jain, Lead Infrastructure Security Engineer at Grofers, and part-time bug-bounty hunter told this reporter, that there is a lack of support from the government. “There is minimal acknowledgement, which discourages people from reporting issues,” he said, adding that in contrast, foreigners like French researcher Robert Baptiste (better known as Elliot Alderson on Twitter) make public disclosures and become famous, while Indians are sidelined.