Due to a vulnerability or security bug, the website of the Union ministry of corporate affairs (MCA) leaked the personal data of Ratan Tata, Mukesh Ambani, Gautam Adani, Virat Kohli, Shah Rukh Khan and lakhs of other directors of companies, alleges a security expert. Sai Krishna Kothapalli, who runs a cybersecurity company called Hackrew, says it took 11 months and four days for a critical vulnerability to be fixed that leaked personally identifiable information of approximately 9.8mn (million) Indians, including many high net-worth individuals following proper government channels.
In a blog post
, Mr Kothapalli says he was working on a proof of concept for a security tool called Eagle Eye that will detect secrets and other sensitive information from all the websites he was testing. He visited the MCA portal for some work and found the tool picked up some information.
"There was some PII (personal identifiable information) like email and phone numbers that were in the HTTP response but not there in the rendered HTML. What this means is that your browser received some data that's not shown anywhere on the screen. This is a very generic type of vulnerability that's usually present in web or mobile applications. Essentially, the server is sending more than necessary data. Sometimes, this might include sensitive data," he says.
Mr Kothapalli says he found not just his personal information but also email IDs and phone numbers of all the ID numbers he has, which were available through the MCA website, even when he was not logged in to the application. He says he found that the only input he had provided was his director identification number (DIN), which the ministry assigns.
He then tried using a random DIN 00000001 and could see the personal information of none other than Ratan Tata! When the MCA portal was launched in 2006, Mr Tata was assigned the first DIN number.
"Essentially, all the directors of Indian companies are affected. I couldn't find exactly how many directors are there. But if you look at DINs being issued, the latest numbers are over 98.65 lakh. It includes industrialists like Mr Tata, Mukesh Ambani, and Adani, cricketers like MS Dhoni, Virat Kohli, and Hardik Pandya and actors like Shah Rukh Khan, Mahesh Babu, and Pawan Kalyan, and many more," he says.
Mr Kothapalli says he was able to see personal information like phone numbers, email IDs, home addresses, father's name, date of birth, Aadhaar number, PAN number, passport number and voter ID numbers of the company directors.
After finding the bug on 16 January 2023, he contacted the Indian computer emergency response team -CERT-In. After going back and forth, finally, on 19 December 2023, CERT-In informed Mr Kothapalli that the concerned organisation had confirmed that they had fixed the reported vulnerability and asked him to verify.
He replied, "The vulnerability appears to be fixed. There might be more URLs that are vulnerable since there is similar functionality in the MCA application, the team should also look at those. Also, will there be any check to see if this vulnerability has been abused? Since I have seen some companies selling directors' contact information like email and phone numbers publicly. How can we identify if the said data is obtained legally or otherwise?"
CERT-In told him that it had noted his concerns and would take appropriate action.
"As I mentioned in my email to CERT-IN, this vulnerability has existed for many months. There are a lot of companies openly selling the contact information (email and phone numbers) of directors online. I don't know if this vulnerability has been exploited. Surely, a thorough investigation is needed," Mr Kothapalli says.