Security researchers have discovered that a website opened to the public about .2.26 million records connected to users of the mobile payment application VHM.
The published information includes sensitive information such as name, date of birth, age, gender, home address, caste location and Aadhaar card details, among others, the VPN review website VPNMenter reports.
“The level of information disclosed is phenomenal, affecting millions of people across India and exposing them to the potential for potentially destructive fraud, theft, and attacks by hackers and cyber criminals,” he wrote in a blog post on Sunday.
Application provided by National Payment Corporation of India (NPCI), Application BHIM, or India Interface for Money 201. Was launched in.
NPCI has denied data breach
The NPCI said in a statement on Monday that “no data has been compromised in the BHM app.”
“We have received some news reports suggesting data breaches in the BHM app. We want to make it clear that no data has been compromised in the VHM app and we urge everyone not to fall prey to this kind of speculation. NPCI has a high level of protection and adherence to a law.” An integrated approach to protect its infrastructure and continue to deliver a strong payment ecosystem, ”NPCI said.
In his report, the VPN Mentor further said that an organization called CSC e-Governance Services Limited has created a website to leak information. In partnership with the Government of India.
The problem was resolved late last month after researchers contacted India’s Computer Emergency Response Team (CERT-IN) twice a month.
Details of the hack
“In this case, the data was stored in an unsafe Amazon Web Services (AWS) S3 bucket,” the researchers said. S3 buckets are a popular form of cloud storage around the world, but developers need to establish protection protocols. Their account
“We have reached out to the developers of the website to inform them of the incorrect configuration in their S3 bucket and to assist us. After receiving no reply, we contacted the Computer Emergency Response Team (CERT-IN) of India, which deals with cyber security in the country.” “They added.
A study led by VPNMenter’s Noam Rotem found that CSC has set up a website linked to the wrongly configured S3 bucket to promote BHM use in India and sign up to new merchant businesses like mechanics, farmers, service providers and store owners in the app.
Security researchers On April 23, security researchers first discovered that the amount of open data was 409 GB.
“Strictly speaking, the S3 bucket seems to have a record for a short time: February 2019. However, even in such a short time, more than 7 million records were uploaded and exposed,” the report said.
“The issue of disclosure of BHM user data can give hackers access to the entire bank’s infrastructure, including the account information of millions of users of a single bank.”
(With IANS input)