The cyber proficient Sunny Nehra with his team detected several security loopholes in the official websites of the Indian Army. The critical vulnerabilities were detected by Sunnu Nehra from “Hacks and Security” in the websites Indian army.nic.in and join indianarmy.nic.in. With the help of his team, Nehra reported his findings to CERT-In and the concerned authorities for patching.
Nehra also observed that the country’s armed forces websites were using the highly outdated Lodash (a Javascript library). The versions that were affected by the package were vulnerable to Prototype Pollution. The function which is known as Zip object deep in layman language can be tricked into adding or can be modified properties of the Object prototype. On all objects, these properties can be seen.
The security system was in a critical state, if exploited it could lead to severe threats which include the complete takeover of the webserver. All these sites were implementing obsolete jQuery, Bootstrap and various other aspects of web applications. In return these sites susceptible to different types of attack.
Nehra also found out some other government websites were having some critical security vulnerabilities. UHBVN ( Haryana Bijli Vitatan Nigam) and DHBVN (Dakshin Haryana Bijli Vitaran Nigam) were the sites that were included with the data of so many users of the state of Haryana. As the websites weren’t up to date this became the major cause for the security issues was failing to keep various critical components of the websites.
As the websites weren’t up to date so they contain an en number of date features which includes an out of date Liferay portal which can allow the attacker to exploit the Arbitrary file upload vulnerability to upload or to transfer dangerous piles of files. Within the products environment, such files can be automatically processed. In normal language or layman terms, the hacker can effectively take over the entire webserver.
This is not the initial phase where Hacks and Security team have found critical vulnerabilities in the government sites. In August 2021, Sanjeev Gupta who is currently the former CEO of Digital India had warned how the troops of Pakistani hackers had hacked into some of the nations news channels and how Hacks and Security rescued them to fix their security issues.
Our nation’s popular and acknowledged cyber security genius, Sunny Nehra, made a Twitter thread in order to disclose the root cause behind the websites of the government being so insecure.
Indian government hosts its websites which includes Indian armed forces, on NICNET (National Informatics Centre Networks) data centres.