Uncovering Vulnerabilities: Security Flaws Discovered on the Indian Prime Minister’s Website

Hello geeks, Biswajeet Ray Here, Security Engineer, OSINT & Threat Analyst.

I’ve been acknowledged by Microsoft, IBM, Lenskart, Shaadi.com, Panasonic, HP and many companies and governments for reporting security vulnerabilities in their web applications.

Disclaimer: I am writing about how i found and reported vulnerabilities in Our Prime Minister Narendra Modi site. We Indians always ready to contribute for our nation.

Let's start,

Before Independence Day I sudden remember that our PM is protected by SPG. But what about his websites. So as an Indian I remembered my fundamental duties always nation first.

Special Protection Group

Then i started hunting on our PM site so the first vulnerability found by me is Cross site scripting (XSS)

(1) I found approx 8 subdomains vulnerable to Cross Site Scripting

param “s=” used payload %22%3E%3C/iframe%3E%3Cscript%3Ealert(`HACKED%20AND%20LOVED%20BY%20BISWAJEET%20RAY`);%3C/script%3E%3Ciframe%20frameborder=%220%EF%BB%BF

Screenshot

(2) Unauthenticated Access via Default Credentials

After finding XSS i found Unauthenticated access which gives me unauthenticated access to Nagios dashboard

Screenshot

I immediately reported it to incident@cert-in.org.in with POC

Response by CERT-IN and PMO Team

Aug 11, 2023 : Reported

Aug 14, 2023 : A ticket was assigned.

Aug 21, 2023 : The issue was resolved (Retested)

Aug 21, 2023: Acknowledged by CERT after verification and fixes from PMO.

Kudos to CERT-IN team for fast response and fixes.

Acknowledged by PMO and CERT-In via Appreciation mail.

Thanks for reading. Keep securing internet. Always remember nation first.

For more you can contact me here:

https://www.linkedin.com/in/biswajeet-ray-397742200/ [Linkedin]

https://twitter.com/BiswajeetRay7 [Twitter]