A tale of a security flaw, its discovery, disclosure to authorities and their indifference.
I do not believe in full disclosures. I think they do more harm than good. But lately I had an experience which helped me understand the reasons people are often forced to do a full disclosure of a software vulnerability.
There is only one ‘argument’ for a full disclosure – that it ’forces’ the organization to act swiftly and fix the vulnerability. And believe me there are many organizations that are lazy enough to fix a problem reported to them.
Lately, I chanced to visit the website of National Institute of Design, Ahmedabad. NID happens to be one of the premier institute of design in India. The website has a portal (called Kportal) aimed to provide unified login for students, staff and alumni for various institute related functions. It has monthly pay-slips for employees and library records for students and many more Institute specific features.
This portal has several security vulnerabilities. It is a great example of a ‘poor design’. By design I mean the design of their web architecture rather than their user interface. I was curious to know how deep can one get into their systems and it took me a couple of hours to verify that a sophisticated attack can actually give one access to their database. And guess what do you find in their database. You find pay slips, marks of students and passwords (very unfortunately in plain text). This was horrifying. More horrifying was the fact that updating records in the database was just a matter of firing some update queries using a specific channel. I wish I were a student there 
Immediately after, I sent an email to the top officials of NID explaining them about the vulnerabilities that their portal has. Since, I did not know the right person to talk to regarding this, I went to their ‘Director and Deans’ page and emailed their Director (Shri Pradyumna Vyas), Activity Chairperson (Shri Akhil Succena), Acting Dean, R&D Campus (Dr. S Ghosal). I also emailed Ms. L Padmavati Bet, a person I believe to be closely related to development of this portal. I specifically wrote about the vulnerability and the amount of data that can be leaked in case one is successful in his attempt. I sent a separate email to Ms. Padmavati explaining in detail a typical hack which makes her account is especially vulnerable. By the nature of the design of Kportal, her account was ‘most prone’ to a very popular class of attack (I am not mentioning the names of techniques for obvious reasons).
Guess what the response was!! I heard nothing back from them. They read the emails and didn’t bother to take any action on it. The portal still poses a big threat to the personal data of all the students/staff of NID. I volunteered to give specific inputs to harden their portal in case they need it but they don’t want any.
The downside of all this is that the students of NID are continually exposed to attacks leading to privacy invasion and data loss. I may not be the first person to discover this. Maybe there are many others who are snooping into accounts of these students without their knowledge. Even worse, many people tend to keep their passwords same for various online accounts that they have. In such a case, getting a password from the NID portal will enable any attacker to login to the other accounts of users. There are many more lateral attacks possible than I can enumerate here. Think about the secret question. What if you have different passwords for different accounts but you keep the same secret question-answer for all of them. As of today its fairly easy to get any of these detail of any NID student/staff.
There is an urgent need for NID to let the students know about the weakness that they had and send emails to all the 1848 students/staff registered on their portal to do the following:
- Change passwords of all other online accounts which had the same password as the one they used for K portal.
- Change the secret question/answer of all other online accounts that have the same secret question/answer pair as used on K portal.
I wish I could force them to do this. I wish they were a little more responsible. If you are running an organization this big, isn’t it your responsibility to protect your users data ??