Indian Army and Other Government Websites Filled with Critical Security Flaws, Says Sunny Nehra | New Companies

In a very shocking incident, an ethical hacker, Sunny Nehra found not one but several critical vulnerabilities or security flaws in the official Indian Army websites indianarmy.nic.in and joinindianarmy.nic.in which have been reported to Cert-in and the relevant authorities. Apart from this, serious vulnerabilities have also been discovered in many other government websites including UHBVH (Uttar Haryana Bijli Vitran Nigam) and DHBVN (Dakshin Haryana Bijli Vitran Nigam) websites containing data on many users of the State of Haryana. Not only these vulnerabilities were also found on personal website of Haryana CM Manohar Lal Khattar which were reported to Hartron team.

What’s worse is that there are official social media accounts connected to (and created by emails they were created on) these websites that could also be compromised by hackers due to these flaws.

One of the main reasons for the security issues was the lack of updating of several important aspects of the websites. Similar to Indian Army websites, Lodash (a JavaScript library) was very outdated and therefore vulnerable to prototype pollution, a serious critical security issue which, if exploited, could lead to very serious threats, including taking full control of the web server.

Not only that, jQuery, Bootstrap and several other aspects were also very outdated and thus suffered from several different types of attacks. The same goes for the UHBVN and DHBVN websites which had several outdated aspects including an outdated Liferay portal which allowed attackers to download arbitrary files i.e. they could download and run any any file of their choice and take complete control of the web server. CM Manohar Lal’s website was using a very outdated Drupal CMS and could be completely overtaken by hackers.

This is not the first time that Sunny Nehra has discovered critical vulnerabilities on government websites. Earlier in August 2021, Sanjeev Gupta (former CEO of Digital India) had publicly announced Nehra’s findings regarding a web server of UP Vidhan Sabha which had been hacked by malicious Vietnamese hackers to create a hidden drug forum.

During that same month, Nehra had also found out how some Pak hackers had hacked into some Indian news channels and also helped them with their security issues. Apart from his professional bug hunting for giant corporations, Nehra is always dedicated to securing the cyber infrastructure nationwide and hence he continues to report some or other issues related to it as soon as he finds them. This is one of the reasons why Sunny Nehra is considered India’s top ethical hacker.

Nehra also created a Twitter thread explaining what exactly is the root cause of insecurity on government websites. Most of the government websites including Indian Army websites are hosted on NICNET (National Informatics Center Network), although as far as their development is concerned, they are mainly outsourced by their respective departments to certain private companies in accordance with certain requirements, guidelines and procedures which may vary from department to department. Now, if you see the reality of how these projects have been outsourced, it’s pretty messed up.

The same is happening in other government tenders here, there is also outsourcing based on tenders, officials preferring their knowns and other political issues leading to this mess. Some private companies get the tenders and outsource them to other smaller companies and just save some funds as a margin. Now, to maximize margins, some of them outsource to even cheaper developers who have no idea about cybersecurity and don’t even bother to check for critical updates. Security audits are not for all projects and where they are they are also usually rigged in the same way.

Nehra further explains that although some cybersecurity researchers like him who wish to secure our infrastructure continue to find such flaws and continue to fix them for greater impact, the government must improve its policies and regulations for development as well as audits. of these technological projects. Because in the end, if the development team is not aware and dedicated, you can update their aspects today, but again after a while, they would be outdated. And apart from updating, other aspects such as implementation, logging, auditing, etc. must also be taken seriously and without governments being strict with all this, it will not solve much on the side of the security researcher.