Researcher Uncovers 14 Vulnerabilities in Indian Government Systems, Exposing Sensitive Citizen Data
An independent security researcher has identified 14 vulnerabilities, including critical flaws, in Indian government IT systems, potentially exposing millions of citizens' personally identifiable information.
An independent cybersecurity researcher, Sushant Bhardwaj, has uncovered a significant security lapse within Indian government IT infrastructure, identifying 14 distinct vulnerabilities. Among these, two were classified as critical severity and four as high severity, affecting major national platforms used by millions of students and job aspirants. The discovered flaws put a wide array of sensitive citizen data at risk, including names, addresses, birthdays, and even bank account numbers.
Bhardwaj's investigation revealed critical issues in systems managed by the Directorate of Education in Delhi. He found that access controls protecting two government directories were not properly enforced at the server level, allowing unauthenticated access to sensitive student enrollment data and employee records. Predictable file naming structures further aided in the exposure of this information, making it easily discoverable for anyone with malicious intent.
Further analysis of a different Delhi government portal, which handles scholarships, exposed the personal details and complete bank account numbers of 4,399 individuals. This portal, due to its function, disproportionately affected lower-income individuals, increasing the potential harm from data exposure.
The most alarming discovery was made within the Union Public Service Commission (UPSC) portal, India's primary body for civil service recruitment. Bhardwaj identified a dozen vulnerabilities, with the most critical being the complete lack of security for the administrative interface responsible for authentication. This oversight would have allowed any attacker to gain full control of the system and its data with ease.
Additional vulnerabilities in the UPSC portal included susceptibility to automated credential attacks, missing crucial browser-level security headers, and issues with one-time password (OTP) mechanisms, all of which could have been leveraged in various attack scenarios.
Experts note that such vulnerabilities often stem from simple configuration errors rather than sophisticated exploits. Trey Ford, chief strategy and trust officer at Bugcrowd, highlighted that shared infrastructure across many government portals can lead to a lack of clear accountability for access control enforcement. He emphasized that treating coordinated disclosure as defensive infrastructure is key to turning potential exposures into swift fixes.
Bhardwaj echoed these sentiments, stating that most identified issues were due to configuration weaknesses and security oversights, rather than advanced attack techniques. He also pointed to resource constraints, lengthy procurement timelines, and a shortage of cybersecurity professionals as factors that can slow remediation efforts in government sectors.
Despite these findings, Bhardwaj expressed optimism about India's improving cybersecurity posture. He observed a growing recognition of responsible vulnerability disclosure among government organizations and a more professional engagement with security researchers. Continued collaboration among government agencies, industry, academia, and the security research community is deemed essential for building resilient and secure public digital infrastructure.