An independent security researcher discovered a significant flaw in the National Voters Service Portal (NVSP) and notified the Computer Emergency Response Team (CERT), which collaborated with technical specialists to patch the vulnerability.
Sai Krishna Kothapalli, the founder and CEO of Hackrew, a Hyderabad-based cybersecurity business, states he discovered the flaw while downloading his Elector Photo Identity Card (EPIC), which provided him accessibility to other voters' registered phone numbers. A simple script could make available the phone numbers of all the voters in a Lok Sabha or Assembly constituency.
Mr Kothapalli, a graduate of the Indian Institute of Technology, Guwahati, alerted the CERT on October 22, 2021, through a vulnerability submission. Though that he was supposed to receive an acknowledgement within 72 hours, he received a response on December 7, 2021, stating that the emergency response team was in contact with the relevant officials to take appropriate measures. He confirmed that the vulnerability had been addressed on December 14, 2021.
Mr Kothapalli stated, “The plugging of the loophole has not only prevented a major data leak — exposing the personal mobile phone numbers of several crores of voters across the country — but averted a possible scam during the process of elections. By accessing a mobile number, and using another vulnerability I found, we can send an SMS that will appear as if it came from credible Government IDs. For instance, we can send a message to a voter giving some misleading information that could deprive him/her of casting the vote. So one can imagine this on a larger scale, impacting crores of votes across India.”
The security researcher explained that he discovered the flaw after visiting the NVPS portal to download his e-EPIC. The system would send an OTP to the registered mobile phone for further authentication after submitting the EPIC number and State name.
“This is where the vulnerability got exposed. While the OTP went to the voter’s mobile number, the response sent to the browser had the voter’s un-redacted phone number. While this is not visible on the screen, any person with the basic technical know-how of how websites work can figure out how to get it,” he added.
Since electoral rolls containing EPIC numbers, names, and other election-related and personal details of a voter are published and accessible online for anyone to access, all that is required is to write a simple script to obtain all voters in a constituency's personal phone numbers, names, father/name, husband's EPIC numbers, and constituency names.
He further added, “This is the most dangerous and highly effective way you can abuse the vulnerability. Since names are visible, huge sections of the country can be targeted based on religion, caste or language in election-related scams in this way.”