The Indian Post Office portal was found vulnerable to an Insecure Direct Object Reference (IDOR) attack, exposing sensitive Know Your Customer (KYC) data of thousands of users.
This breach highlights the critical need for robust security measures in government-operated digital platforms, especially those handling sensitive personal information like Aadhaar and PAN details.
What Happened?
According to Gokuleswaran, a Cyber Security Analyst, the vulnerability allowed unauthorized users to access private KYC records by exploiting a flaw in the portal’s URL structure.
By manipulating the document_id parameter in API requests, attackers could retrieve confidential documents, including Aadhaar numbers, PAN details, usernames, and mobile numbers.
This breach exemplifies how IDOR vulnerabilities can lead to horizontal privilege escalation, where attackers gain access to other users’ data without proper authorization checks.
The response returned sensitive data:
By incrementing the document_id value (e.g., changing 125678 to 125679), attackers could access other users’ KYC records without authentication or authorization.
IDOR vulnerabilities occur when applications fail to enforce proper access controls on user-supplied parameters. In this case:
The document_id parameter directly referenced internal resources without validating whether the requesting user had permission to access them.
The system lacked server-side authorization checks, relying solely on client-side validation, which is easily bypassed.
Impact of the Breach
This vulnerability exposed highly sensitive information, creating significant risks for affected individuals and organizations:
- Identity Theft: Leaked Aadhaar and PAN details can be exploited for fraudulent activities such as opening unauthorized bank accounts or applying for loans.
- Phishing Attacks: Scammers can use leaked names and contact information to craft convincing phishing campaigns.
- Regulatory Violations: Mishandling of KYC data breaches Indian data protection laws, potentially leading to legal repercussions for the postal department.
Mitigation Measures
To prevent such breaches in the future, organizations should adopt best practices for securing web applications:
- Enforce strict server-side authorization checks for every request involving sensitive resources.
- Replace direct identifiers like document_id with randomized or hashed tokens that are harder to guess.
- Ensure all user-supplied parameters are sanitized and validated against expected values.
- Periodic penetration testing can identify vulnerabilities before they are exploited.
- Limit the number of requests per user and monitor logs for suspicious activity.
CERT-In has acknowledged the issue and issued advisories emphasizing secure coding practices to prevent IDOR vulnerabilities.
It recommends using secure tokens instead of direct references in URLs and conducting regular security audits to detect weaknesses.
As India transitions towards digital governance, robust security protocols must be prioritized to safeguard public trust and prevent large-scale data breaches.