Source linked

IDRBTが.bank.in レジストリの脆弱性に 13 か月間敏感な銀行従業員データを暴露

medianama.com@policy_briefyesterday·Technology Policy·5 comments

調査によると、IDRBTドメイン登録ポータルは、認証されていないAPIエンドポイントのために、5,500人以上の銀行従業員の認証と個人データを漏洩した。

rbifintechcybersecurityindia

An investigation by independent researcher Srikanth L has revealed that the Institute for Development and Research in Banking Technology (IDRBT) domain registration portal (registrar.idrbt.ac.in) exposed sensitive data of 5,576 bank employees for at least 13 months due to critical security vulnerabilities.

What Changed

The vulnerability stemmed from 33+ unauthenticated API endpoints on the registrar.idrbt.ac.in portal, which allowed anyone to query the system without authentication. This exposure leaked bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of bank employees responsible for managing India's banking domains. Following the report, CERT-In addressed the vulnerabilities within 17 days.

Who Is Affected

The primary impact group includes the 5,576 bank employees whose credentials and personal identifiers were exposed. Additionally, the investigation highlighted administrative failures involving the private vendor IKCON Technologies, which held 22 employee accounts on the portal, including three with "Super Admin" access. The report also identified 1,072 "orphan" Super Admin accounts with no traceable owners.

Operational Impact

The exposure of bcrypt hashes poses a significant risk, as these can be cracked using sufficient computing power, potentially allowing attackers to hijack administrative accounts. Such access could enable the spoofing of legitimate banking websites or the issuance of fraudulent '.bank.in' domains. Furthermore, the report noted data residency violations where several cooperative banks hosted '.bank.in' websites on foreign servers, contradicting RBI data localisation mandates.

Bank compliance and security teams should immediately audit their administrative access protocols and ensure all domain-related credentials and hosting environments adhere to RBI data localisation and cybersecurity standards.

Source: Explained: How vulnerabilities in RBI's bank.in registry exposed sensitive data for 13 months
Domain: medianama.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Technology Policy

view topic
Supreme Court Kills Agency Independence, Reverses 90-Year Precedent

The conservative majority struck down restrictions on firing agency heads, opening the door to presidential control over the entire federal workforce.

Henrico County's 37 Data Centers Trigger 25% Power Hike; Schools Told to Unplug

County manager warns of $5M extra cost and asks employees to turn off lights and computers, while 17 more data centers are planned.

Clarity Act Odds Drop to 48% as Jefferies Warns of Crypto Volatility

Polymarket odds for the Clarity Act passing by end of 2026 have fallen to 48% from 70% in May, with Jefferies warning a failure before August recess could push the bill to 2027, fueling volatility in crypto equities...

India's ₹1.25 Lakh Cr Semiconductor 2.0 Shifts Focus From Fab Subsidies to Equipment Supply Chains

The Finance Ministry cleared a ₹1.25 lakh crore outlay for ISM 2.0 - 64% more than the first phase - signaling a pivot from fab assembly to domestic chipmaking equipment, chemicals, and design IP.

Comments load interactively on the live page.