A malicious actor could abuse this API to introduce entries into, or make fraudulent changes to existing entries in the CCIS, CCTNS and ZIPNET database systems,” Saini said.
This meant that the entire digital infrastructure of the Delhi police was at risk for more than half a year — in which time if a malicious actor had discovered the flaw, they could do something like inserting your name and photos into the CCTNS criminals database, Saini explained.
In October, Bengaluru based security researcher Karan Saini informed the police, CERT-In (the nodal agency for reporting computer security incidents), and the NCIIPC RVDP (the rapid vulnerability disclosure program for the nodal agency for security in critical infrastructure), which acknowledged the issue, but then did not close the issue for many months.
With this unsecured API, a malicious actor could have checked FIR details, added details to the criminal tracking database CCTNS, or send emails and SMS from the Delhi Police.
In March 2019, Saini, along with Pranesh Prakash and Elonnai Hickok of the Centre for Internet and Society (CIS) also published a paper on the challenges with disclosing security vulnerabilities to the government, where he and his colleagues at CIS mention, “There is a noticeable shortcoming in the availability of information with regard to current vulnerability disclosure programmes and process of Indian Government entities, which is only exacerbated further by a lack of transparency.”
I really appreciate you for taking the time to write me this feedback.
I received your feedback.
I am sorry!
An error occurred and we could not transfer your message.
Please try again or get in contact with us via mail.