Cyber Expert, Sunny Nehra and his team recently detected multiple security loopholes in the official websites of Indian Army. Sunny Nehra from “Secure Your Hacks” detected critical vulnerabilities in the websites indianarmy.nic.in and joinindianarmy.nic.in. Nehra and his team reported their findings to CERT-In and the concerned authorities for patching.
They observed that the Indian Armed forces website was using highly outdated Lodash (a JavaScript Library). Affected versions of the package were vulnerable to Prototype Pollution. The function zipObjectDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Such a critical security issue, if exploited, could lead to severe threats, including the complete takeover of the webserver. Furthermore, these sites were using obsolete jQuery, Bootstrap, and several other aspects of the web applications. This made the sites susceptible to different types of attacks.
UHBVN and DHBVN
Apart from this, they found out that some other government websites were having some critical security vulnerabilities. These sites included the UHBVN (Uttar Haryana Bijli Vitran Nigam) and DHBVN (Dakshin Haryana Bijli Vitran Nigam) with data of so many users of Haryana state. One of the primary reasons for the security issues was failing to keep various critical components of the websites up to date.
The websites contain a number of out-of-date features, including an out-of-date Liferay portal. It can allow an attacker to exploit the Arbitrary File Upload Vulnerability. Attackers can exploit such vulnerability to upload or transfer dangerous files. Subsequently, such files can be automatically processed within the product’s environment. In layman terms, the hacker can effectively take over the entire webserver.
This is not the first time Hacks and Security have found critical vulnerabilities in government websites. Earlier in Aug 2021, Sanjeev Gupta (former Digital India CEO) had notified how some Pakistani hackers had hacked into some Indian news channels, and Hacks and Security helped them fix their security issues.
Nehra explains the Reason behind government websites being so insecure
One of India’s well-known and acknowledged Cyber Security Professional, Sunny Nehra, created a Twitter thread to explain the root cause behind government websites being so insecure.
Government of India hosts its websites, including those of the Indian armed forces, on NICNET (National Informatics Centre Network) data centers. However, the respective departments mostly outsource their development to private firms. These firms have to adhere to some requirements, guidelines, and procedures that vary from department to department.
Where lies the problem?
A little scrutiny of the process of outsourcing gives an indication about the problem. The same happens in other tenders of government. Also, there is bidding-based outsourcing, the officials preferring their knowns and other political matters leading to this mess up.
Some private firms get the tenders, and they further outsource those to other smaller firms and save some funds as margin. To maximize the margins, some outsource to even the cheapest possible developers who have no idea about cyber security and don’t even bother to check critical updates. The authorities don’t do security audits for all the projects. When audits are carried out, connivance and rigging can not be ruled out.
He further explains that some cyber security researchers like him keep finding such flaws. Their aim is to detect them and inform the authorities. But, it is for the government to improve their policies and regulations for the development and audits of these tech projects. Aim of such researchers is to facilitate a secure infrastructure
Because at the end, it boils down to dedication and team work. If the developing team is not aware and dedicated every task is on ad-hoc basis. The employee of an outsourced firm will update it today. But, within a few days, another update will be required.
Updating is not the only issue. Administrators must take care of other aspects like implementation, logging, auditing etc also. Government of India must address these lapses on priority basis. Unless government gets its act together, such issues can have very serious implications.