Flaw Exposing Data of 44 Million Indian Investors PatchedResearchers Found 2 Critical Flaws in Central Depository Services Ltd. Code
A critical vulnerability in the Central Depository Services Ltd., or CDSL, which is India's largest securities depository, has been discovered and patched, according to researchers. Exploitation of the vulnerability could have potentially exposed sensitive information of 43.9 million investors in the country, note the researchers at cybersecurity consultancy firm CyberX9.
The authorization vulnerability was found in the API of CDSL Ventures Ltd., a CDSL subsidiary that is a government-approved KYC - or "know your client" - registration agency, the researchers say.
The breach, they add, would have affected all Indian investors, who are mandated to have a KYC-compliant demat account that holds financial securities in electronic form.
The exposed database included personal information of investors, such as full name, address, telephone number and email ID as well as highly sensitive data, such as Permanent Account Number or PAN, income and net worth, broker name, amount of annual income tax return filed and CDSL client ID, the researchers say. The exposed information dated back to 2005, they add.
CDSL Ventures Ltd. took immediate action to mitigate the vulnerability and has worked proactively to address any other potential security issues as well, the organization told news platform Hindu Business Line.
Second Critical Vulnerability Within 10 Days
The latest critical vulnerability is the second one found in CDSL's code in the span of 10 days, according to CyberX9 researchers.
On Oct. 19, researchers found a critical vulnerability that exposed sensitive information belonging to Indian investors in CDSL Ventures Ltd. and reported it to India's Computer Emergency Response Team, CERT-In, and the National Critical Information Infrastructure Protection Center, or NCIIPC.
The CDSL took seven days to fix the vulnerability, following which CyberX9 published its findings on Oct. 28, Himanshu Pathak, founder and managing director of CyberX9, tells Information Security Media Group.
The very next day, CyberX9s researchers were able to bypass CDSL's patch "within a couple of minutes" and also discovered the second vulnerability, he says.
"The data was clearly exposed to the whole internet - twice. The first vulnerability was indeed fixed, but after seven days of our report to CERT-In and NCIIPC. On Oct. 29, our team found [another] vulnerability exposing the data again," Pathak tells ISMG.
He declined to share specifics of the code in which the vulnerability was found, as that could potentially help malicious attackers exploit any unaddressed flaws in the CDSL systems.
The CDSL, he adds, is not in the clear yet, given its "horrible security posture." "There is a possibility of more vulnerabilities, which may even result in hacking of their depository servers holding demat account assets such as shares, mutual funds, electronic fund transfers, etc.," he says.
CDSL did not respond to ISMG's request for information on the status of the first patch and how the organization has boosted cyber resilience and vulnerability detection following discovery of the vulnerability.
CISOs of securities and brokerage firms must pay close attention to securing their APIs, especially when their applications are updated, Pathak says.
"CISOs should also thoroughly check for Insecure Direct Object References and authentication vulnerabilities in APIs or in applications dealing with sensitive data," he says. IDORs are access control vulnerabilities that crop up when an application leverages user-supplied input to access objects directly.
It is imperative for organizations to responsibly report security vulnerabilities, he says. "This ensures researchers with good intent are not forced to straightaway publicly disclose the vulnerabilities before they get fixed," he says. Pathak also recommends adding a security.txt file to help security researchers get in touch with companies more easily to report security issues.
Securing India's Securities Market
The Securities and Exchange Board of India, or SEBI, in December 2018 issued a circular, mandating all stock exchanges and depositories to build a cybersecurity framework that includes measures, tools and processes intended to prevent cyberattacks and improve cyber resilience.
Stock exchanges and depositories, according to SEBI's guidelines, are required to identify critical IT assets and associated risks, as well as deploy suitable controls, tools and measures to detect incidents, anomalies and attacks.
The mandate incorporates principles of "zero trust" and says that no person, irrespective of rank, should have an intrinsic right to access confidential data. Any access to stockbroker and depository systems, applications, networks and databases should be for a defined purpose and for a defined time period, it says.
From an IT standpoint, SEBI's mandate includes the installation of firewalls, proxy servers and intrusion detection and prevention systems. All critical systems with internet access are also required to deploy two-factor security measures and VPNs.
The measures, although fairly stringent and current, did not prevent a data breach incident in online trading platform Upstox. In April 2021, the company said it had been warned of a possible compromise of contact data and KYC details in a third-party data warehouse.
Upstox apologized for the data breach and informed users that it had restricted access to the affected database, added multiple security enhancements at all of its third-party data warehouses, set up 24x7 monitoring and ramped up its bug bounty program.