“...the web portal of CVL is vulnerable to Insecure Direct Object References. It was initially observed that on the login page of CVL, there was a possibility of getting access to the details of another user by changing the reference ID of the user,” the Ministry of Finance wrote in response to a question by Indian National Congress MP Manish Tewari in the winter session of Lok Sabha. The ministry also shed light on how the vulnerability was fixed “by encrypting the reference ID, the reply added. The Central Depository Services Limited (CDSL) is one of the two SEBI-regulated depositories that hold securities like shares, mutual funds, and bonds in electronic format. Nearly 600 stockbrokers who collectively have over 4 crore investor accounts are associated with CDSL. CDSL Ventures (CVL) is a government-approved KYC registration agency owned by CDSL. A second vulnerability was found in CVL which was promptly fixed by the firm and the same was conveyed to the Indian Computer Emergency Response Team (CERT-In). The ministry also revealed that a forensic audit of CVL was conducted at the direction of the Securities and Exchange Board of India (SEBI). The ministry clarified that “there was no authorization vulnerability in any of the Application Programming Interfaces (APIs) and/or website of Central Depository Services Ltd. (CDSL)”. [embed]https://twitter.com/digitaldutta/status/1465219264713871364?t=af9Q3TOAbeL5ywbhJjF5JQ&s=08[/embed] It is the first time that a vulnerability has been acknowledged by the government in critical infrastructure such as an agency that holds the data of lakhs of investors. Why was this question raised in…
