Alderson also discovered that BSNL’s intranet websites had been attacked by a ransomware and allegedly, the IT department of the company had no knowledge about it
A French security researcher going by a pseudo-name of Elliot Alderson is exposing security vulnerabilities in Indian government-run websites and apps which include Aadhaar, Bengaluru Police, and the latest BSNL.
In the most recent exposé, Alderson bared open serious vulnerabilities which put personal details of BSNL’s former as well as present employees, over 47,000 in number, under threat. Alderson discovered that the data could be accessed by a simple SQL injection—the bread and butter of any professional computer hacker.
“There was a SQL injection in their intranet website. It allows the attacker to dump all database of the BSNL intranet. It contains the information of 47K+ BSNL employees, Senior officers' information, BNSL administrators information, retired employee details and more,” Alderson said in a tweet.
The researcher also shared screengrab of the dataset which tables the name, designation, fax number, phone and email address among other details.
Moreover, Alderson also discovered that BSNL’s intranet websites had been attacked by a ransomware and allegedly, the IT department of the company had no knowledge about it.
After discovering, Alderson informed the state-owned telecom company about the flaw which it rectified over the weekend.
Worryingly, the French hacker is not the first person to discover the security issue. An Indian engineering student had informed about the flaw to BSNL two years ago but the state-run telecom service provider didn't bat an eyelid.I found this issue a few days ago, but I'm not the first one to discover this issue. This issue had been discovered by a fellow Indian, @kmskrishna, 2 years ago. He sent mails to BSNL, even called senior officiers, but nobody answered him... pic.twitter.com/iN5mPr1EKs
— Elliot Alderson (@fs0c131y) March 4, 2018
Alderson’s other exploits include a series of exposé about security flaws in Aadhaar website as well as the app. After one of the exposé, the mAadhaar app was updated to eradicate the vulnerability.
Alderson also pointed out the security lapse in Bengaluru City Police and Telangana government website which oozed out details of beneficiaries of the MNREGA, including their contact details and personal information.
