Finally doing a writeup of how I found that the eGovernment portal of Tamil Nadu had a major bug with a huge privacy impact as it leaked user documents with sensitive information (Personally Identifiable
Information) to the public. This issue was reported and has been fixed as well so am sharing this information so that others are aware of this issue and help them avoid similar problems in sites they manage going forward.
This whole saga started when I had to apply for an epass to enter Tamil Nadu and noticed that the link sent to download the PDF copy of the pass did not require any password to access. The link to download the data was something like: https://tnegov.in/xxxxxx where xxxxxx was a 6 character code. It looked like they might be vulnerable to an parameter enumeration attack so I wrote a quick script to try calling the URL with various sequential codes starting with AAAAAA and moving up. To my surprise within 30 seconds of me running the script I found another person’s personal document (https://tnegov.in/AAAABY) accessible over the web without any authentication. This URL gave me a PDF file that contained a “First Graduate Certificate” (Given to the first person in a family that graduates) for a lady in Virudhunagar District in Tamil Nadu.
Since I had proven that the private information was being leaked, I immediately killed the script and reported it to the Tamil Nadu CERT team using their web form and the same was also sent via email to info.cert@tn.gov.in on 12th March 2021.
A day later I got a call from the CERT team asking for more details. The lady I spoke with asked me a few questions about what I found and wanted additional information about me. The question she got stuck at was “Where are you currently working?” As I was on a work break since I doing my Degree in Cyber security I told her that I was not working anywhere but was a student. She was really confused and kept asking the question in different ways. After a few attempts she finally believed that I was studying Cyber Security and told me that they would look into this.
I expected them to take immediate action since this was a major privacy blunder but nothing happened and it was complete radio silence from them so I emailed them again a month later (29th April) asking for an update with another followup email sent in May with no response to either.
On 21st May I looped India CERT in the mail chain to escalate and wasn’t too hopeful of a quick response. Interestingly they replied within 24 hours asking for a PoC and screenshot of the issue, so I responded with a copy of the script I had written along with the PDF file containing the PII that I had found.
After that I didn’t get any communication from the team and I got busy with exams and classes so I didn’t follow up. However, every so often I would try to access the URL and it would still give me a PDF download. In October over 7 months after I first reported it I finally got an error when trying to download the data from the site. Now I get a 404 message stating that the page can’t be found. (The site gives too much detail in the error message but that is a different story and something for me to look at when I get some free time).
The overall experience was quite poor as in spite of the immediate response to the first notification of the issue they didn’t give me any details on the ETA for the fix or let me know once the issue was resolved. Which would have made it more streamlined and I wouldn’t have had to check frequently that the issue was resolved. If nothing else an email thanking for reporting the issue would have been nice, although I have seen that other agencies / sites giving bug bounty to people reporting such issues.
If you are hosting a site that allows users to generate data/files that can be downloaded the following should be kept in mind:
- When creating links to the generated files, don’t use sequential ID’s for the files as it makes it easy to iterate through. Instead create long randomized strings for the ID’s to make them harder to guess
- Add some form of authentication before allowing the download, something like a emailed link or SMS OTP to validate identity before allowing a download. For example the Nagaland Government site for ILP forces you to authenticate with an OTP before allowing you access to the document
- Add some checks for bruteforce attempts to guess file paths and block them.
Well this is all for now. I have a few more of these that I will be sharing over the next few months once I verify that the issue is resolved and safe to disclose.
– Suramya