(by Anupam Saxena and Nikhil Pahwa)
Update: Sulekha CEO Satya Prabhakar has sent us the following statement- ““Sulekha has recently introduced a feature in one of our services where our local business customers can upload photos for promoting their businesses. The utility that we used for allowing this self uploads mistakenly permitted the uploading of HTML files. This loophole was exploited briefly to put up a HTML page on one service homepage of Sulekha. This was promptly diagnosed and rectified. Our investigation has revealed that no user or customer data was compromised and the breach was isolated to one part of our site only. We are undertaking a thorough investigation and strengthening our protocols to prevent this from happening again.”
Earlier: In the last couple of months, there appears to be an increase in the hacking of Indian websites: TheHackerNews reported yesterday that Sulekha.com had been hacked and defaced by an Indian hacker Mr52. Two pages that TheHackerNews points towards – this and this – are now returning a server error.
Over the last couple of months, zSecure, IT security research group, has claimed to have detected vulnerabilities in at least three Indian websites: Sify.com (screenshots), TimesOfMoney (screenshots) and brokerage house Sharekhan.com (screenshots), using an SQL injection technique. According to zSecure, a critical SQL Injection vulnerability in the website could allow an attacker to gain access to the site’s entire database which contains confidential customer information.
In Sify’s case, it has published information of e-commerce transactions and masked passwords; in case of TimesofMoney, it has published screenshots of information on registered what appear to be admin users (no passwords); in case of ShareKhan, there is a single screenshot of the hosting information. Note: TimesOfMoney has pointed out to MediaNama that the screenshots do not list registered users. It has not yet responded to our query on whether those are administrative users listed in the screenshots.
zSecure mails that no data was dumped from the site, and in each case, it says it has decided to make the information public after the companies did not did not pay heed to e-mails informing about the data vulnerability. It also claims that a similar vulnerability exists in HDFC Bank’s website, and even after being informed about the same, the bank has not taken any measures to fix it.
Note that MediaNama is unable to verify any of the claims made by zSecure, the authenticity of the screenshots, and whether this level of access (except in case of Sify) indicates a serious security breach. We’re awaiting a response from Sify.com. TimesOfMoney has shared the following comment with MediaNama:
“The screen shots shown in the article alleging stating vulnerability of our site do not prove that there has been a breach of data security, or any loss of customer data. It remains to be seen how the screen shots have been derived. We are protected against any kind of network penetration due to stringent policies followed. Nevertheless, post receipt of this information, we have once again tested our infrastructure for the named vulnerability, and have seen no evidence of breach.
Our data remains secure and our customer transactions are functioning normally”