French security researcher hacks into BSNL intranet, exposes flaws impacting 47,000 employees

Monday March 05, 2018 , 3 min Read

Ethical hacker finds personal details of past and present BSNL employees at risk. The telco was also unaware about a ransomware attack.

Not for the first time has French cybersecurity researcher Baptiste Robert discovered flaws in an Indian corporation or a government-run project, pointed them out to said authorities, and later exposed them on social media alerting users.

His latest target is state-run telco BSNL, which seems to have overlooked several security flaws in its intranet system that allowed Robert, who goes by the name of Eliott Alderson on Twitter, to hack into the details of more than 47,000 employees — past and present.

The ethical hacker also discovered that the websites intranetuk.bsnl.co.in and intranethr.bsnl.co.in had been attacked by ransomware, but BSNL was unaware of it. Employees’ personal data, including name, designation, password, mobile number, date of birth, date of retirement, email address, etc., were potentially at risk.

Alderson discovered this and alerted the telco over private message on Twitter.

He tweeted Sunday afternoon that the issues had been fixed.

Alderson, who goes by the handle of @fs0c131y, explained how he stumbled upon the security loophole.

1) There was a SQL injection in their intranet website. It allows the attacker to dump the all database of the BSNL intranet. It contains the information of 47K+ BSNL employees, Senior officiers' information, BNSL administrators information, retired employee details and more. pic.twitter.com/HTEwtC63wp
— Elliot Alderson (@fs0c131y) March 4, 2018

SQL, or structured query language code, is a simple web-hacking technique used by hackers and researchers to attack the backend of websites.

Alderson added, “I found this issue a few days ago, but I'm not the first one to discover this issue. This issue had been discovered by a fellow Indian, @kmskrishna, 2 years ago. He sent mails to BSNL, even called senior officers, but nobody answered him.”

@kmskrishna is Sai Krishna Kothapalli, an Indian security researcher, who’s also revealed several flaws in the Aadhaar project.

2) https://t.co/hKliHOJjlf had been attacked by a ransomware. They didn’t even notice… pic.twitter.com/3AfP0OZzdG
— Elliot Alderson (@fs0c131y) March 4, 2018

Alderson also revealed that the BSNL website had a lot of open directories which “allowed everybody to consult their documents”. “A monitoring bandwidth system was accessible publicly,” he said.

4) A monitoring bandwidth system was accessible publicly. pic.twitter.com/LVSHJTNwZE
— Elliot Alderson (@fs0c131y) March 4, 2018

BSNL is yet to make a public statement on this. But, it told Alderson on Twitter DM, “We are investigating the points you have mentioned.”

Earlier leaks

Alderson’s BSNL leaks comes shortly after he hacked into the Telengana government’s benefit disbursement portal, TSPost, and gained access to the Aadhaar details of over 40 lakh social schemes recipients and 56 lakh NREGA scheme beneficiaries.

“In theory, a government website is very secure but in India, it’s another story... http://tspost.aponline.gov.in is vulnerable to a basic SQL injection,” Alderson had tweeted a week ago.

In January, the researcher had also pointed out flaws in the mAadhaar app suggesting it was storing biometric data and eKYC profiles on a local database on users’ phones that could be easily hacked into. Anyone with basic programming knowledge could get access to the biometric data of a billion-plus citizens, he had said.

The UIDAI, of course, denied any such risk to Aadhaar data. It clarified on its official Twitter channel, “mAadhaar uses a local db to store the user preferences on the user's device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So, the question of biometrics being compromised does not arise.”

Advertise with us