In a very shocking incident an ethical hacker, Sunny Nehra found not one but multiple critical vulnerabilities or security loopholes in the official Indian army websites indianarmy.nic.in and joinindianarmy.nic.in which were reported to Cert-in and concerned authorities. Apart from this, serious vulnerabilities were also found in many other govt websites including UHBVH (Uttar Haryana Bijli Vitran Nigam) and DHBVN (Dakshin Haryana Bijli Vitran Nigam) websites having data of so many users of Haryana state. Not only this vulnerabilities were also found in personal website of Haryana CM Manohar Lal Khattar which were reported to Hartron team.
The worst part is that there are official social media accounts connected to (and created by mails there were set up on) these websites which also could be compromised by hackers because of these flaws.
One of the primary reasons behind the security issues was the lack of updation of several important aspects of the websites. Like in Indian Army websites the Lodash (a JavaScript Library) was highly outdated and hence was vulnerable to Prototype Pollution, a severe critical security issue which if exploited could lead to very serious threats including complete takeover of the web server.
Not only this the jQuery, Bootstrap and several other aspects were also very outdated and thus suffering from several different type of attacks. Same was for UHBVN and DHBVN websites which had several outdated aspects including an outdated Liferay portal which allowed the attackers arbitrary file upload that is they could upload and execute any file they wanted and could takeover the web server completely. CM Manohar Lal's website was using highly outdated drupal CMS and could be completely overtaken by hackers.
This is not the first time Sunny Nehra has found critical vulnerabilities in govt websites. Earlier in Aug 2021, Sanjeev Gupta (former Digital India CEO) had publicly announced about Nehra's findings about a web server of UP Vidhan Sabha that had been breached by malicious Vietnamese hackers to create a hidden drugs forum.
In that same month Nehra had also found how some Pak hackers had hacked into some Indian news channels and also helped them fix their security issues. Apart from his professional bug hunting for giant companies Nehra is always dedicated to securing the national level cyber infrastructure and so he keeps reporting some or other issues related to it as soon as he finds. This is one of the reasons that Sunny Nehra is considered as the top ethical hacker of India.
Nehra also made a twitter thread explaining what exactly is the root cause behind govt websites being so insecure. Most of govt websites including Indian army websites are hosted on NICNET (National Informatics Centre Network) though regarding their development they are mostly outsourced by their respective departments to some private firms following some requirements, guidelines and procedures which can vary from department to department. Now if you see the reality of how these projects have been outsourced that's quite messed up.
Same like happens in other tenders of govt here also there is bidding based outsourcing, the officials preferring their knowns and other political matters leading to this mess up. Some private firms get the tenders and they further outsource those to other smaller firms and just save some funds as margin. Now to maximise the margins some of them outsource to even cheapest possible developers who have no idea about cyber security and don't even bother to check critical updates. The security audits are not for all the projects and where they are they also generally are rigged the same way.
Nehra further explains that although some cyber security researchers like him who want to secure our infrastructure keep finding such flaws and keep getting them fixed for a bigger impact the govts needs to improve their policies and regulations for development as well as audits of these tech projects. Because at end if the developing team is not aware and dedicated you can get their aspects updated today but again after sometime they would be outdated. And apart from updation other aspects like implementation, logging, auditing etc also have to be taken seriously and without govts being strict with all that it's not going to solve it much just from security researcher's end.
