تخطَّ إلى المحتوى
Ravington
العودة إلى الأخبار
العالم

Critical Vulnerability Lasting 13 Months in the Reserve Bank of India's .bank.in Registry System

MediaNama
WhatsApp

The Reserve Bank of India (RBI) established the '.bank.in' domain extension in February 2025 as a digital trust mark so that citizens could instantly verify official bank websites. However, a review conducted by an independent security researcher named Srikanth L revealed that, contrary to expectations, this system contained serious security vulnerabilities. Sensitive data was leaked from the domain registry portal operated by the Institute for Development and Research in Banking Technology (IDRBT) for at least 13 months. More than 33 unauthenticated endpoints were detected in the backend of the system, which could have been easily exploited by a skilled hacker. This situation once again highlighted how vital digital security standards are in the banking sector.

According to the report prepared by researcher Srikanth L, the portal, which serves through IDRBT's infrastructure in Hyderabad, was open to external interference without any password or authorization. Anyone using simple command-line tools could pull data directly from the system and access critical information belonging to bank employees. The leaked data included password hashes (in bcrypt format), mobile phone numbers, email addresses, login IPs, and device fingerprints of 5.576 bank employees tasked with managing India's banking domains. This vulnerability, which compromised employee privacy and system integrity, remained undetected in the system for a long time. Srikanth did not publicly disclose the information he obtained because the data was extremely sensitive.

The security vulnerability in question was not limited to data leakage but also left the administrative panel accesses of banks under the control of private companies. A Hyderabad-based private vendor named IKCON Technologies had 22 employee accounts in the portal, and three of these accounts had global 'Super Admin' privileges. Even more concerning was the detection of 1.072 'orphan' Super Admin accounts in the system that had no official or traceable owner. The fact that it was unknown who controlled these accounts with the highest level of access privileges showed how much administrative chaos the system was in. This situation also brought the risk of unauthorized individuals having full control over the entire banking infrastructure.

The administrative and bureaucratic negligence behind this crisis were also remarkably emphasized in the report. Unlike global '.bank' domains, no public consultation, impact assessment, or stakeholder meeting was held for the '.bank.in' domain mandated by RBI. Additionally, it was reported that no open tender process (RFP) or vendor evaluation was conducted when the contract was awarded to IKCON Technologies. The report stated that this situation demonstrated a direct violation of IDRBT's own 2015 IT procurement handbook. The institution's opening of a secret and closed tender for security testing (VAPT) of its IT infrastructure just two months before the vulnerability was discovered also contradicted its own open tender policies.

When the security researcher reported this critical vulnerability to CERT-In, India's cybersecurity agency, a rapid response was received. Unlike other recent institutional negligences, CERT-In announced that it resolved the issue just 17 days after being notified by the researcher. Srikanth criticized the fact that the system was not tested by any independent security auditors before being launched and that security was left optional. Although RBI made the adoption of this system mandatory, its neglect of security protocols raised serious questions in the industry. The incident proved that transparency, auditing, and cybersecurity measures must be the top priority in the process of establishing mandatory infrastructures in digital banking ecosystems.

اسأل عن هذا الخبر

الإجابات من الذكاء الاصطناعي، من هذا الخبر فقط.

هذا ملخّص قصير مُنشأ بالذكاء الاصطناعي. الخبر الكامل موجود في المصدر.

اقرأ الخبر كاملًا من المصدرmedianama.com

هذا الخبر في مصادر أخرى · 2

NL

أخبار ذات صلة