Refer independent researcher Srikanth’s original resources here: [ Blogpost | PDF report | GitHub Repository ]
“No security researcher reviewed this system before it went live. No independent auditor tested it. The RBI circular made adoption mandatory—but made security optional,” wrote Srikanth L, who runs Cashless Consumer, a consumer collective focused on digital payments, in his blogpost on how the RBI’s registry of ‘.bank.in’ domains was compromising sensitive data. Read his full report here.
What Happened? In February 2025, the Reserve Bank of India (RBI) created the ‘.bank.in’ domain suffix to be a digital mark of trust, a way for citizens to instantly verify that a website truly belongs to the official bank. Read RBI’s notices here: [ Feb 2025 | April 2025 ]
The security of this IDRBT Domain Registration Portal (registrar.idrbt.ac.in) was compromised and could have been exploited by a competent hacker had it not been fixed. However, it was fixed. Here is what happened briefly:
- The entity responsible for ‘.bank.in’ domains was compromised atleast for 13 months: Srikanth’s investigation reveals that the Hyderabad-based Institute for Development and Research in Banking Technology (IDRBT) exposed its backend system via 33+ unauthenticated endpoints on its ‘.bank.in’ the domain registration portal (registrar.idrbt.ac.in), leaking the sensitive data of thousands of bank employees for at least 13 months.
- Password hashes, mobile numbers, and emails of over 5,000 bank employees were at risk: In simple terms, anyone with some technical tools (like the command-line tool curl) could query the system without needing a password. They could freely download the encrypted (bcrypt) password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees tasked with managing India’s banking domains.
- Banks’ admin access at the private control: Hyderabad-based private vendor, IKCON Technologies, held 22 employee accounts on the portal, three of which had global “Super Admin” access. The investigation also uncovered 1,072 “orphan” Super Admin accounts, accounts with the highest level of access that appeared to have no active or officially traceable owners.
- CERT-In fixed this in about 17 days: He had reported this vulnerability to India’s cybersecurity agency and got it fixed. Unlike the recent CBSE fiasco, CERT-in responded after 17 days of Srikanth flagging the cybersecurity issue, with CERT-in saying that it fixed the issue.
The story in numbers: A numbered summary of the breach’s scale and the administrative failures:
- 5,576: Bank employee credentials exposed (including hashes, mobile numbers, and IPs). Srikanth didn’t publicly publish this because of its sensitive information.
- 1,072: Orphan Super Admin accounts found on the system. He didn’t disclose this either because of sensitive information.
- 33+:…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
