Hello, all I am Rishi Mohanadas. This is my first writeup & kindly forgive me for any mistakes in this writeup, I would like to share how I was able to expose 36 Million beneficiary details of the ration card of Kerala State.
It all started when one fine day one of my friend from the YAS community messaged me asking about my previous finding of ration card breach in the Kerala govt domain which i did a couple of years back. At that point of time, I thought of digging up the same again.
So I started again looking into the Civil Supplies Kerala Domain. Below you will find the steps to reproduce it.
How to Reproduce :
- Go to civil supplies site https://civilsupplieskerala.gov.in/index.php/cards
2. Then you will be able to see the District wise report drop down
3. Click on any district list and it will show a dropdowns of TSO level reports
4. From this list anyone can click on any TSO name and you will get the list of ARD level reports.
5. Click on any shown ARD NO and it will list down the complete beneficiaries under that selected ARD.
6. From here you can get Ration card number, Owner name & Card Type
7. Once we dump these data, need to visit https://etso.civilsupplieskerala.gov.in/index.php/c_checkrcard_details
8. Here provide the customer ration card number and enter captcha.
9. You will be redirected to the ration card details page and from there you will be able to download the card.
An attacker who can automate this process can dumb the whole data which can cause 36 million beneficiaries. A person with basic computer knowledge can access ration card data one by one.
After Kerala, I started digging up again for ration card related domains and I landed up to the domain named http://epds.bihar.gov.in/.
From that domain, anyone was able to access the data of 90 million ration card details of Bihar state & anyone can download the ration card in pdf or Image format. When we calculate the beneficiaries under each card, the PII Data would be 4–5 times of the above-mentioned list :).
How to Reproduce :
- Visit the website link http://epds.bihar.gov.in/DistrictWiseRationCardDetailsBH.aspx
There you can see the category wise number of ration cards as on date
2. Either filter only selected district or you can select all districts together
3. You will get a drop-down of details with S.NO., District, Rural, Urban, PHH Cards, PHH Members, AAY Cards, AAY Members, Total Cards, Total Members, etc.
4. Here you have option to select Rural or Urban under each district and click on any one.
5. It will take you to Report on Category Wise Number of Ration Card in Block.
6. Click on any Block Name and the webpage will guide you to Report on Category Wise Number of Ration Card in Panchayat.
7. Once you click on it, it will take you to Report on Category Wise Number of Ration Card in Village and select any village name.
8. There comes the complete list of ration card details under that particular village with details Ration Card, Card Type, Ration Card Holder Name, Father Name, Number of Family Members, FPS Dealer
9. Once you click on any ration card number, the attacker will be able to see the ration card along with the Image of all members, Ration card number, Card type, Cardholder, and details of the family member with name, father name, age, and relationship with chief. Also, the mobile number will be able to see and an attacker can download the ration card in image or pdf file which can be misused.
With the help of an automated tool, an attacker can dump and download whole data including the ration card in image or pdf format. Also, we have the option to download files from this link with the ration card number http://epds.bihar.gov.in/SearchByRCID.aspx.
These data is publicly provided by govt and its accessible by anyone who visit these sites 😕
Greetz: Mr.Sh3ll , Mr.M4f!a , error1046, c0de13 ,wo0rm3r and to all YAS Family Members
Sh0utz : Anil Tom, Eldho George , Ananda Krishnan M D & Nesooh