How BIA cyber got access to telengana liscence data
Note: Vulnerability has been fixed when this document was made public
Dear Authorities/Researchers/Readers,
BIA Cyber is committed to protect the privacy of individuals. The purpose of this document is to reproduce the vulnerability.
This document is a Responsible vulnerability disclosure.
Name of Researcher: sai sravan prabhala
Organisation-BIA Cyber
Date of finding vulnerability:14/12/2021.
Products affected -Telangana Transport
https://www.transport.telangana.gov.in/html/driving-licencel-learners.html
Exact software version- Don’t know
About vendor- Telangana transport department portal, this is a one stop website where all citizens of Telangana can get their details about their licences, registration, vehicle insurances etc.
Description-There is a severe logical error in the system (could be throughout India), To verify you can follow the steps.
Step1)
open the portal(https://www.transport.telangana.gov.in/html/driving-licencel-learners.html)
Step2)
click on driving licence search found at (https://tgtransport.net/TGCFSTONLINE/Reports/OnlineLicenceSearch.aspx)
Step3)
understand how license number is given, for example if licence number is
TS10720210005462
The decoded version is
TS for Telangana state
107 for RTO/district number
2021 is the year applied
0005462 is the 5462-licence issued by this RTO in the year 2021
Now with this knowledge we can iterate to all cards issued in any year starting from 0000001 to 9999999. Similarly, for year.
Now we can frame any licence number issued in Telangana
The RTO codes can be found in another screen
Step4)
When we use this knowledge. We will get the following details (not very useful as of now)
Details are Full name of card holder, Expiry date of licence and others.
If we iterate over the number, we will get different names of applicants and their expiry dates.
Step 5)
Now I am going to mobile number updation screen found at (https://tgtransport.net/TGCFSTONLINE/OnlineTransactions/UpdateMobileNumber.aspx)
Step 6)
Now I am selecting licence as my module
Step7)
Now multiple fields are opened. Click on first issued place you get the rto and their codes, with this we can generate all licence number for any year issued in Telangana state. Using step3
Step8)
Enter the licence number in the field. (which we know how to generate)
Step 9)
Now we are left with only date of birth. (The core authentication variable to change mobile number)
The logic to break this variable is given in another government website parivahan sewa (https://parivahan.gov.in/parivahan//en/content/what-validity-driving-license)
Using basic maths, we can trace back to date of births by using the decoding
“A person driving licence is valid for 20 years or up to age of 40 whichever comes first”
I was born on 16/03/1996. if I apply my licence in 2021 my age is 24/25. So, the maximum validity of my licence is my 40th birthday which comes on 16/03/2036.usisng step 4 we can get validity dates.
I am using this screen to check for licence expiry and subtracting 40 to get my date of birth (this might be confusing, but easy) using this we can find all date of births of people who have applied after age of 20 and below 30.could be in millions considering the state’s population.
I am also trying to decode the other rules of licence validity to get date of births.
Once I have all these I am clicking “get details” which gives full name, father name and mobile number registered. (we can also change mobile number without the applicants knowledge)
Impact of exploiting the vulnerability- critical (involves gaining access to personal information through which I can gain access to other government portals)
Other products /software likely to be affected
1)Election commission of India.( https://eci.gov.in/)
I got to know very sensitive data regarding the candidate. using this (https://electoralsearch.in/)
And using the above details which I got from Telangana transport portal.
To get data we need to enter these details (which we already know for all people who applied licence after their 20th birthday and before 30)
The data included
1)EPIC NUMBER/voter id number
2)constituency
3)polling both etc.
Based on my analysis I think I get into many more websites which don’t need an OTP.
Tools used- Basic mathematics, Decoding.
Anonymous- no
Mention-yes
Proof:
Contact:
Sai sravan prabhala
+919912485599
BIA cyber