India’s federal election commission has recently addressed vulnerabilities within their website. These flaws were allowing access to sensitive data related to citizens’ voting eligibility, political candidates and parties, and technical details regarding electronic voting machines. With the country preparing for the upcoming general elections in April-May, it was crucial for these issues to be resolved before the new government is formed.
The Election Commission of India has taken action to fix these bugs in their Right to Information (RTI) portal, which allows citizens to request access to records from constitutional authorities, as well as state and central government institutions and organizations that receive substantial funding from the Indian government.
These bugs were allowing unauthorized access to personal information within RTI requests such as the filing date, questions asked, and mailing address. This information, along with responses from officials, could be viewed without proper authentication.
It was security researcher Karan Saini who initially identified the flaws in February. After receiving no response from authorities, he reached out to TechCrunch for assistance in disclosing the vulnerabilities. The Election Commission, Indian Computer Emergency Response Team (CERT-In), and National Critical Information Infrastructure Protection Center all failed to respond until CERT-In intervened, and the bugs were finally fixed earlier this week.
“CERT-In has been in communication with the appropriate authority regarding this issue. They have recently informed us that the reported vulnerability has been addressed,” stated a representative from the Indian cybersecurity agency in an email response to TechCrunch.
While the RTI applications and responses are not legally confidential in India, a 2014 court ruling in Kolkata ordered authorities to conceal the personal information of RTI applicants from their websites. However, the Election Commission’s RTI portal allowed external access to this data without requiring a login, making it vulnerable to scraping and therefore a privacy concern.
The Election Commission of India did not respond to a request for comment on the matter.