Sometimes, you don’t necessarily need to hack a system to exploit it.
Press enter or click to view image in full size
If you received a message from “IWTXT” asking you to pay some money, would you believe it?
No, right?
What if you live in Andhra Pradesh, and that message came from “APGOVT” and requested the same? That you’re eligible for some scheme and immediately got a call from some number, who claims to be from the government and asks you to pay an amount to avail the scheme?
You would likely believe it, given the sender ID, wouldn’t you?
What if I told you I could do the same — use credible IDs like “HPGOVT” or “ECISMS” and send text messages to every person in the country? Now, what if some malicious hacker got access to this privilege?
Imagine the kind of damage they could cause.
The possibilities are wild.
This story is about how I came across something that I shouldn’t have and how I worked my way backward to achieve the same results.
How It All Began
Every once in a while, I go around dumpster-diving on Github and some other sites to find interesting things that aren’t supposed to be there.
One day, I got access to some interesting-looking credentials in public repositories. But who do these credentials belong to? What do they do? Is there anything cool that I can do with them?
It’s time to figure out some answers!
Deciphering: trial one
The only lead I had was an URL. Now let's try to find what it can do.
This is the response I got when I visited that URL:
GET Method Not SupportedInteresting. The next obvious step was to try the POST method.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>404 Error - Page Not Found</title>
</head>
<body>
<center>
<h1>Sorry, the page you requested were not found.</h1>
</center>
</body>
</html>Deciphering: trial two
So, a POST request with no parameters didn’t give any useful information. I needed to know what parameters are required to send the POST request. So, I tried to check the website from the URL.
Press enter or click to view image in full size
Okay, so the website belongs to Mobile Seva — National Mobile Governance Initiative.
Interesting! I might be on to something.
Mobile Seva is developed by CDAC (Centre for Development of Advanced Computing) that provides various services, and SMS gateway is one of them. Using this, I can send Push/Pull SMSes.
What is Push/Pull SMS service?
On reading the webpage, I understood that push SMS service is used to send SMS to phones. Pull service, on the other hand, is to query information by yourself.
How PUSH SMS service works:
Press enter or click to view image in full size
How PULL SMS service works:
Press enter or click to view image in full size
Using this service, almost 600 Crore+ or 6 Billion SMSes have been sent.
Press enter or click to view image in full size
Almost all the state government services also use this.
Press enter or click to view image in full size
As you can see, several services are using this facility by CDAC, and the number of messages sent to date is in crores.
Dissecting PUSH Service
I found some documentation (last updated in 2018) and some sample code provided on the website. So, there are two methods the PUSH service can be used:
Press enter or click to view image in full size
Method 1:
One way is to sign up in the portal; after approval (which only Government agencies would get), we can directly login and send SMSes.
Press enter or click to view image in full size
Since that is not possible, we can resort to using the credentials we already have. The catch here is that it requires you to enter an OTP, which was sent to the registered user account (access to which we don’t have).
Method 2:
The other alternative is to use the API. This makes sense because we have access to a URL endpoint.
So, to send messages, we need to make an HTTP POST request to the above URL with some parameters listed below.
These are the required parameters, according to the documentation.
The API supports sending both normal and Unicode single messages, OTP, and bulk messages.
If we have these 3 values (username, password, and senderid), we should be able to send any message to anybody or even send bulk messages.
Now that we’re sure we require these particular values, I searched on GitHub — the number one place developers leak stuff like this by uploading their projects in public repositories rather than uploading them to private repositories. I was able to find 30+ credentials and required details to make these requests. There are definitely more, but I got bored halfway.
Get Sai Krishna Kothapalli’s stories in your inbox
Join Medium for free to get updates from this writer.
Before we proceed, let me share a little bit about sender IDs.
What is a Sender ID?
Have you wondered how the text messages from some services are not sent from another phone number but a sender ID?
Press enter or click to view image in full size
Here ADIndiGo, ADAXISBK, is called the sender ID or CLI (Caller Line Identification).
These Sender IDs are reserved by companies and government organisations.
To know more about sender IDs and how they are composed, you can read this document. You can also find all the registered sender IDs on the TRAI website.
Receiving a message from these Sender IDs is meant to be authentic.
Now the question is, can I somehow send messages from them?
Time to Test
Now that we have the credentials, the endpoint, and thanks to the documentation, the parameters for the POST request to be made, it’s time to test!
I set up Postman to easily send POST requests, and voila!
Press enter or click to view image in full size
This is awesome! It clearly works.
HPGOVT belongs to Himachal Pradesh Government, ECISMS belongs to the Election Commission of India.
Imagine people receiving a message from the Election Commission of India that the election booth is closed or elections are postponed because of the Covid19 pandemic?
The scope of this is terrifying.
Using this, I could send arbitrary text messages at one go to millions of mobile numbers in India.
Out of the 30+ credentials I could have used, I only tested 15, out of which 8 worked, 5 didn’t; for the remaining 2, I got the following response:
IP not WhitelistedInteresting! So, there is a security feature in place. The developers can whitelist the IPs, and only they can talk to MSDP (Mobile e-Governance Service Delivery Platform) servers.
But sadly, nobody is using this important whitelist feature.
I found this issue in February and recently came back to it because I wanted to write a blog, and I noticed something strange.
I can no longer send messages.
What Changed?
If I make the same HTTP POST request I did earlier; the server is now responding with:
430 : Kindly migrate to new SMS API url https://msdgweb.mgov.gov.in/esms/sendsmsrequestDLT, Kindly refer https://mgov.gov.in/msdp_techarticle.jsp for API Integration.This is weird since the same request worked a few weeks ago.
After changing the URL and requesting the same, this is the response I got:
ERROR : 423 TEMPLATE_ID is mandatory and it should be 12 or 19 digit lengthAt this point, I gave up on it because I had no clue what a Template ID was. But after a few days, it occurred to me that TRAI made some recent changes related to sending commercial communication messages:
What is this Template ID?
Digging down that rabbit hole, I understood what TRAI actually did. Earlier, these SMS gateways could send whatever message they want. After the new rules are implemented from 1st April 2021, it is not possible. Now, every message you’ll receive is based on a template.
Distributed ledger technology
Distributed Ledger Technology (DLT) is a block-chain based registration system. Communication messages like OTP, verification codes, notification, etc., sent by businesses to their customers need to be registered in the TRAI DLT platform.
It’s aimed at creating more transparency and reducing the incidence of spam and fraud done through SMS.
In this new system, businesses need to register template messages like:
- Dear {{VAR}}, your OTP for the online purchase is {{VAR}}
- Dear {{VAR}}, Your registration with ID {{VAR}} has been successful.
TRAI approves these templates, and only messages in this format are allowed to be sent.
Press enter or click to view image in full size
I went back again to look for some Template IDs and found some. Surprisingly, the MGov website hasn’t updated its documentation yet to include the mandatory template ID part.
The list of parameters in Table 1 required to complete an HTTP POST request now needs to be corrected, which is not yet reflected on the MGov website.
Essentially, anyone can’t send arbitrary messages using the above-mentioned loophole anymore. TRAI’s new system fixed that loophole.
One can still send any message that fits in the template. But this largely restricts the possibilities of scams and misuse.
Press enter or click to view image in full size
Conclusion
I might not be the first one to discover this. It is crucial to check if this has been misused before and what the consequences were.
In addition, government organizations should ensure that the developers (both in-house and outsourced) shouldn’t push credentials and other secrets to services like Github. Basic training should be given to these developers.
And, by design, the CDAC API service has IP whitelisting allowed. So, it should have been enforced.
What is the use of a security feature if you don’t use them?
Additional points to be noted
I was testing while writing this blog and noticed the server just went down. I kept getting 404 Not Found on the main endpoint for more than an hour.
Press enter or click to view image in full size
Many applications that rely on this service must face difficulties with sending messages (OTPs) to their users. This makes this service a central point of failure.
Press enter or click to view image in full size
I noticed that in this RFP from 2013 by CDAC, they explicitly mentioned that they want to run Mobile Seva in High Availability and Fault Tolerant mode, which basically means that they thought of this and they don’t want the servers to go down.
Press enter or click to view image in full size
Since several services are dependent on it, proper load testing must be done on the MSDP servers.
NOTE: If you need to check if your company’s credentials/secrets have been leaked on Github and need assistance fixing that or general security advice/services for your company/organisation feel free to drop an email at contact@hackrew.com.