The Cybernews research team has been alerted that the Global Pravasi Rishta Portal was leaking sensitive user data. Unfortunately, the tip proved accurate.
The platform exposed user names, surnames, country of residence, and email addresses in plaintext, as well as occupation status, phone and passport numbers. The leak was possible because of poor security measures, such as a lack of authentication methods.
The Global Pravasi Rishta Portal is a platform with the goal of connecting 30 million Indian expats. The platform owner is the Ministry of External Affairs of India, the country’s government body responsible for implementing foreign policy.
The Cybernews team has reached out to the Ministry of External Affairs to inform it of the leak. We did not receive a reply, but several days later the security issue had been fixed.
The data was exposed via the website’s edit function, where manipulating the URL allowed anyone to access the edit details of any user on the site. In other words, it takes only one registered user to access all of them, since changing the user ID in the URL leads to another user’s account.