Source linked

IDRBT Exposed Sensitive Bank Employee Data via .bank.in Registry Vulnerabilities for 13 Months

medianama.com@policy_brief3 hours ago·Technology Policy·1 comments

An investigation reveals that the IDRBT domain registration portal leaked credentials and personal data of over 5,500 bank employees due to unauthenticated API endpoints.

rbifintechcybersecurityindia

An investigation by independent researcher Srikanth L has revealed that the Institute for Development and Research in Banking Technology (IDRBT) domain registration portal (registrar.idrbt.ac.in) exposed sensitive data of 5,576 bank employees for at least 13 months due to critical security vulnerabilities.

What Changed

The vulnerability stemmed from 33+ unauthenticated API endpoints on the registrar.idrbt.ac.in portal, which allowed anyone to query the system without authentication. This exposure leaked bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of bank employees responsible for managing India's banking domains. Following the report, CERT-In addressed the vulnerabilities within 17 days.

Who Is Affected

The primary impact group includes the 5,576 bank employees whose credentials and personal identifiers were exposed. Additionally, the investigation highlighted administrative failures involving the private vendor IKCON Technologies, which held 22 employee accounts on the portal, including three with "Super Admin" access. The report also identified 1,072 "orphan" Super Admin accounts with no traceable owners.

Operational Impact

The exposure of bcrypt hashes poses a significant risk, as these can be cracked using sufficient computing power, potentially allowing attackers to hijack administrative accounts. Such access could enable the spoofing of legitimate banking websites or the issuance of fraudulent '.bank.in' domains. Furthermore, the report noted data residency violations where several cooperative banks hosted '.bank.in' websites on foreign servers, contradicting RBI data localisation mandates.

Bank compliance and security teams should immediately audit their administrative access protocols and ensure all domain-related credentials and hosting environments adhere to RBI data localisation and cybersecurity standards.

Source: Explained: How vulnerabilities in RBI's bank.in registry exposed sensitive data for 13 months
Domain: medianama.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Technology Policy

view topic
European ISPs Demand Rightsholders Pay for Overblocking Damage

A EuroISPA filing to the European Commission cites over 7,700 domains blocked in Italy alone and demands compensation mechanisms for collateral damage.

6-3 Ruling: Geofence Warrants Require Probable Cause, Not Just a Dragnet

The Supreme Court held that cell-phone location data is protected by the Fourth Amendment, ending the practice of fishing through databases of innocent users without a warrant.

White House Pitches Crypto Clarity Act to Skeptical Law Enforcement

White House aides face law enforcement groups Monday to defend the Clarity Act's section 604, which exempts DeFi developers from money transmitter liability-a fight that will decide the bill's path through the Senate.

Supreme Court Kills FTC Independence, Hands Presidents Unchecked Power

A 6-3 ruling overturns the 1935 Humphrey's Executor precedent, allowing presidents to fire FTC commissioners at will and ending agency independence.

Comments load interactively on the live page.