French security researcher hacks BSNL intranet, exposes critical security flaws
What's the story
French cybersecurity researcher Baptiste Robert claims to have gained access to a private database of state-run Bharat Sanchar Nigam Limited (BSNL) which contains details of more than 47,000 employees. Baptiste Robert or Eliott Alderson (Twitter name), gained access by breaking into BSNL's intranet system and embedding a malicious code which helped him source the database. Here's more on this development.
Twitter Post
How the French security researcher hacked into BSNL intranet system
1) There was a SQL injection in their intranet website. It allows the attacker to dump the all database of the BSNL intranet. It contains the information of 47K+ BSNL employees, Senior officiers' information, BNSL administrators information, retired employee details and more. pic.twitter.com/HTEwtC63wp
— Elliot Alderson (@fs0c131y) March 4, 2018
Living at Risk
Indian engineer's warning fell on BSNL's deaf ears
The security issue brought to light what was earlier discovered by an Indian cybersecurity researcher Sai Krishna Kothapalli. Sai Krishna found this security vulnerability around two years back when he contacted BSNL about the issue which Sai Krishna says "could have been the largest data dump or hack in Indian history". However, Sai's requests fell on deaf ears.
Twitter Post
Alderson too confirms the issue was reported 2 years back
I found this issue a few days ago, but I'm not the first one to discover this issue. This issue had been discovered by a fellow Indian, @kmskrishna, 2 years ago. He sent mails to BSNL, even called senior officiers, but nobody answered him... pic.twitter.com/iN5mPr1EKs
— Elliot Alderson (@fs0c131y) March 4, 2018
Security flaws
From private data to Ransomware
Apart from all the private data and passwords of the employees, Alderson claimed that couple of BSNL websites - intranetuk.bsnl.co.in and intranethr.bsnl.co.in had also been attacked by ransomware and were unnoticed by BSNL, until he reported about it. He also highlighted that BSNL website had several open directories which "allowed everybody to consult their documents" and that a "monitoring bandwidth system was accessible publicly."
Earlier leaks
Meanwhile, how secure is your data?
Last week, Alderson alerted Bengaluru Police regarding security flaws in its VPNs and directories. He has also identified vulnerabilities in Telangana government's TSPost and gained access to Aadhaar details of 56 lakh NREGA scheme beneficiaries. Last year, Alderson also exposed security flaws in mAadhaar app.