New Delhi: A “security flaw” in the Punjab State Power Corporation (PSPCL) website has made consumer data accessible to hackers, according to cybersecurity analyst and ethical hacker Sunny Nehra. Reached for comment, the PSPCL said the issue had been addressed.
The government-owned power utility has around 95 lakh consumers across Punjab.
Nehra told ThePrint he discovered the alleged loophole in the PSPCL website while testing out its security when a friend of his had to pay their power bill.
“On 22 March, a friend had to pay their PSPCL electricity bill, so that got me started testing out how secure the PSPCL website was,” he said.
“I was shocked to find a vulnerability that allowed me to access all customer and billing information. Customer name, phone number, resident and email addresses — everything can be extracted,” Nehra added.
Nehra said he had not counted how many customers’ data can be extracted, but it looked like “anyone who has paid a PSPCL bill online might be affected by this”.
Nehra claimed he had alerted an official at Cert-IN (Indian Computer Emergency Response Team) — the nodal agency under the Ministry of Electronics and Information Technology that responds to cybersecurity threats — as well as an IAS officer in Punjab about the security flaw.
Nehra also said he had found that the PSPCL website had no proper mechanism to stop malicious codes from being used at the backend to access confidential data.
Also Read: AAP’s promises of free power & aid to women could cost debt-ridden Punjab Rs 20,600 cr/year
What’s the security flaw?
The security flaw in the website was due to an ‘Insecure Direct Object Reference (IDOR)’ vulnerability, also known as ‘Broken Object Level Authorisation (BOLA)’, according to Nehra.
IDOR vulnerabilities happen when the website’s user authentication process is not designed properly. This can allow users to access more information stored on the website’s servers than they have the right to access.
Poor web design leading to an IDOR vulnerability includes showing a parameter like the customer account number in the web link itself.
For example, a link like ‘www.xyz.com/myaccount/uid=12‘ has a parameter called ‘uid’. This value of ‘uid’ can be manually changed to 19, 20 etc to access other web pages.
This way, an attacker can adjust the PSPCL account number parameter using an automated script, so that a computer programme is able to guess and run through all possible values for what can be PSPCL account numbers and access customer information linked to these other account numbers as well.
(Edited by Gitanjali Das)
Also Read: PNB denies cybersecurity firm’s claim that 180 million customers’ data was breached