Government Road Accident Website Hacked, 10K Users’ Sensitive Data on Dark Web

On August 2, cybersecurity firm CloudSEK identified a breach that has exposed the unauthorized distribution of the source code for the Ministry of Road Transport and Highways’ website.

In a surprising revelation, CloudSEK, a cybersecurity firm, has brought attention to a significant breach involving the integrated road accident database website of the Ministry of Road Transport and Highways through its XVigil AI digital-risk platform.

According to CloudSEK, this breach, detected on August 2, has exposed the unauthorized sharing of the website’s source code on an underground cybercrime forum commonly referred to as the dark web. In its detailed report, the cybersecurity firm stated that their sources were able to obtain the source code, totaling 165 MB in size, the majority of which was written in PHP.

The report also highlighted the presence of several sensitive assets within the code, including hostnames, database names, and passwords. Alarmingly, the usernames and passwords used within the source code were notably simple and susceptible to brute-force attacks if local server access was gained.

Upon closer inspection of the leaked source code, it was revealed that the code contained references to the NIC SMS Gateway GUI portal (sms.gov.in). This discovery raised concerns about the potential for unauthorized individuals to send messages to citizens through the portal. Additionally, embedded URLs within the code included fields for usernames and passwords, increasing the possibility of unauthorized access.

According to the researchers, a recent post by the same threat actor on August 7 shared a sample dataset containing information from 10,000 users of the website. This post revealed that the data had been obtained using a structured query language (SQL) injection on a vulnerable API endpoint. As of the report’s writing, this vulnerable endpoint still remained accessible.

The details in the data set’s header included information such as id, office_id, name, email, active, mobile, ps_code, remarks, password, username, created by, dept_code, role_code, state_code, designation, created_date, old_password, password_enc, district_code, email_verified, and mobile_verified.

The report also mentioned that some of the mobile numbers and names from the sample dataset were verified to match with Truecaller. Additionally, the sample data contained clear text passwords and email IDs of government officials.

The researchers expressed concerns that the leaked information could potentially grant unauthorized access to the website’s infrastructure. Account takeovers might occur if the exposed credentials were not encrypted, and passwords that were either commonly used or weak could be susceptible to brute force attacks. This situation could empower malicious actors to extract data and maintain a persistent presence.

CloudSEK, however, informed the Ministry of Road Transport about the breach and stressed the importance of promptly securing the iRAD website and protecting sensitive user data. News18 has learned that CloudSEK collaborates closely with CERT-In and promptly informs them about each identified vulnerability. It is understood that the government has taken necessary measures based on the information provided in CloudSEK’s report.