A security researcher, going by the pseudonym ‘Ded Sec’ reported a cyber-security vulnerability on the Reserve Bank of India’s (RBI) website on Sunday morning. Ded Sec detected cross-site scripting that allows an attacker to execute malicious codes remotely on the RBI’s website.
“This allows several opportunities to attack, mostly by hijacking the user’s current or by changing the look of the page in order to steal the user's credentials,” the researcher told Business Standard.
Ded Sec, through a series of tweets, tried to get the attention of the Computer Emergency Response Team (CERT-In) in New Delhi, the country’s nodal cyber security agency. They attempted to contact the RBI through Twitter and a contact form on the central bank’s website in order to report the vulnerability. Even after two days, “no answers came and the issue is not fixed yet,” the researcher said.
On being contacted by Business Standard, the RBI ran a vulnerability check on its website. An official of the central bank said its cyber security experts looked into the matter and had conducted vulnerability tests on the website to source the issue, and found it to be in order.
“Cross-site scripting is a common problem across many websites. We are ensuring this vulnerability, if at all, is taken care of,” said the spokesperson.
Cross-site scripting essentially targets users of a particular application or website, instead of the server. First, a hacker or attacker injects a malicious code into the trusted website of government organisation(s), for example. When a regular user visits the infected website, the browser is incapable of distinguishing the malicious parts of the code from the ‘trust-worthy’ elements.
Taking advantage of that, the malicious script surreptitiously accesses users’ cookies, session tokens and other sensitive information such as ids and passwords of other sites, usually retained within the browser history.
Cross-site scripting comprises roughly half of all cyber vulnerabilities tracked since 2012 by security agencies.
“Since it allows attackers to hijack other users' sessions, an attacker might get access to an administrator computer and gain full control over the applications,” the researcher said.
Such a vulnerability could give a hacker access to important log-in details of important government employees and administrators, automatically without the knowledge of either the user or website administrator. At the time of this article's publication, the security researcher did not find that the vulnerability was resolved.