Unveiling a Critical Vulnerability in the Assam Electoral Website: A Race Against Time to Safeguard Democracy
Introduction:
In the pursuit of checking my voters' information on the Assam Electoral Website, little did I know that my curiosity would lead me to uncover a dangerous security vulnerability. This article recounts my journey from discovering the vulnerability to promptly reporting it to the government, ensuring the safety and integrity of the electoral process.
Step 1: Unintended Paths and Suspicious URLs
Upon visiting the official Assam Electoral Website to find my voters' details, I noticed that the website redirected me to an unusual IP address (xxx.x.xxx.xxx) with port 8080. It appeared to be a different server hosting the application I intended to use. This unexpected redirection raised a red flag, sparking my suspicion that there might be a security vulnerability in play.
Step 2: The Trepidation Builds
The redirected page required me to fill out a form with my personal information to retrieve my voter ID and name. As an individual concerned about online security, I realized that this process could be flawed and potentially lead to unauthorized access to sensitive data.
Step 3: Digging Deeper with Dirbuster
To confirm my suspicions and assess the extent of the vulnerability, I decided to use a tool called Dirbuster. This tool helps in discovering hidden directories and files on a web server. By using Dirbuster on the IP address, I was able to find hidden directories, and that's where the story took a worrisome turn.
Step 4: Stumbling upon the Admin Login Portal
Dirbuster revealed an administrative login portal at http://xxx.x.xxx.xxx:8080/utility/Frame.php. The presence of an unsecured admin login panel was a significant security flaw in itself. My intuition told me to investigate further, and by examining the source code of the login page, I uncovered the critical security vulnerability.
Step 5: The Dangerous Vulnerability Unveiled
The login page source code exposed a major flaw in the authentication mechanism. A parameter named "tag" controlled the actions performed after a successful login. By altering the value of the "tag" parameter to "2", an attacker could bypass the authentication process entirely and gain unauthorized access to the administrative database panel.
Consequences: The Grim Possibilities
This vulnerability held the potential for devastating consequences. An attacker exploiting this flaw could perform Remote Code Execution (RCE) by uploading malicious PHP files to the server. They could manipulate, delete, view, or add data in the administrative database, including critical information like the voter registration database. The implications were alarming, as it could compromise the entire electoral process, leak sensitive private information, and severely damage the credibility of the electoral system.
Reporting the Vulnerability:
Recognizing the urgency of the situation, I immediately reported my findings to the government at 3:30 AM. I provided a detailed report outlining the vulnerability's nature and possible consequences, along with recommendations for mitigation.
After promptly reporting the critical security vulnerability to the government, immediate action was taken to safeguard the Assam Electoral Website. In response to the disclosure, the government worked tirelessly to address the issue and prevent any potential exploitation. As part of their security measures, the IP URL hosting the vulnerable website was temporarily made inaccessible for a few weeks.
While this may have caused inconvenience to Assam’s citizens who wanted to check their voter ID cards and details online, it was a necessary step to ensure the vulnerability was thoroughly addressed. (Apologies to the citizens of Assam for the website downtime; little did they know, I was just one bug away from becoming public enemy number one! . Lol 😂)
During the period of temporary unavailability, the government's cybersecurity team was hard at work revamping the entire portal. They redesigned it with a more robust and secure architecture, bolstering the authentication and authorization mechanisms. The new portal prioritized data protection and reduced the risk of unauthorized access to sensitive information.
Once the improvements were in place, the website was re-launched, providing citizens with a safer and more secure platform to access their voter information online. Thanks to the proactive measures taken by the government and the collaborative efforts, citizens of Assam could confidently use the new portal, knowing that their data was protected against potential threats.
The incident served as a valuable lesson, highlighting the importance of cybersecurity in government systems, particularly those related to critical processes like elections. By acknowledging the vulnerability and swiftly taking remedial actions, the government demonstrated its commitment to protecting the democratic process and securing citizens' data.
Conclusion:
The journey from checking my voters' information to discovering a dangerous vulnerability on the Assam Electoral Website was an eye-opening experience. It highlights the importance of vigilance and responsible disclosure in securing critical government systems. My hope is that by reporting this vulnerability promptly, I have contributed to safeguarding the electoral process and preserving the trust of the citizens in the democratic system.
If you enjoyed the article, connect with me on LinkedIn (www.linkedin.com/in/cyberchiranjit), follow me on Instagram (www.instagram.com/cyberchiranjit), and stay updated with Hackzap Security on LinkedIn (www.linkedin.com/company/hacktevo-security/) and website (hackzapsecurity.in) . Let’s continue the cybersecurity journey together! 🚀