 "Security researcher raises hack scare alarm on RBI website")
A security researcher, going by the pseudonym ‘Ded Sec’ reported a cyber-security vulnerability on the Reserve Bank of India’s (RBI) website on Sunday morning. Ded Sec detected cross-site scripting that allows an attacker to execute malicious codes remotely on the RBI’s website.
“This allows several opportunities to attack, mostly by hijacking the user’s current or by changing the look of the page in order to steal the user's credentials,” the researcher told Business Standard.
Ded Sec, through a series of tweets, tried to get the attention of the Computer Emergency Response Team (CERT-In) in New Delhi, the country’s nodal cyber security agency. They attempted to contact the RBI through Twitter and a contact form on the central bank’s website in order to report the vulnerability. Even after two days, “no answers came and the issue is not fixed yet,” the researcher said.
On being contacted by Business Standard, the RBI ran a vulnerability check on its website. An official of the central bank said its cyber security experts looked into the matter and had conducted vulnerability tests on the website to source the issue, and found it to be in order.
“Cross-site scripting is a common problem across many websites. We are ensuring this vulnerability, if at all, is taken care of,” said the spokesperson.
Cross-site scripting essentially targets users of a particular application or website, instead of the server. First, a hacker or attacker injects a malicious code into the trusted website of government organisation(s), for example. When a regular user visits the infected website, the browser is incapable of distinguishing the malicious parts of the code from the ‘trust-worthy’ elements.
Taking advantage of that, the malicious script surreptitiously accesses users’ cookies, session tokens and other sensitive information such as ids and passwords of other sites, usually retained within the browser history.
Cross-site scripting comprises roughly half of all cyber vulnerabilities tracked since 2012 by security agencies.
“Since it allows attackers to hijack other users' sessions, an attacker might get access to an administrator computer and gain full control over the applications,” the researcher said.
Such a vulnerability could give a hacker access to important log-in details of important government employees and administrators, automatically without the knowledge of either the user or website administrator. At the time of this article's publication, the security researcher did not find that the vulnerability was resolved.
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%