UTI ITSL – Data Disclosure through a single key

NSDL and UTI are two bodies under the Indian Government which are the official PAN Card service providers. Recently I had the privilege to take services for PAN Updation through UTI ITSL.

After waiting for some time for the processing of my card, I went to the website of UTI-ITSL for checking the status. I entered the application number, and instantly got the status of my query. Cool!

As a fuzzer, in the form-field for ‘Application Coupon Number’, I entered the next number (my appln number + 1). And yes, it gave the results. Entered some more numbers in the sequence, got results for each query. I could get results for applications as early as 2011. This means that if someone runs a tiny script to scrape data of applicants for the last 8 years, they can easily get the details – Full name, PAN Number, Application Number.

Details

Name, PAN No, Courier Tracking Details

As shown in the above image, all these details are visible to everyone without any kind of authentication, you need to just input a 9-digit application number.

And there is something more to that – you can look for the PIN Code and City of the applicant, through the Courier Tracking Number:

Post Office Track

This PAN Card was delivered to some guy in RANPUR (Gujarat) on 09-03-2017, most probably he lives there

If you are more lucky, you will get the birth-date and spouse/father’s name of the applicant:

Mismatch 1

For the above applicant, he is having name mismatch between Income Tax Department’s Data and the data provided in the application. So which fields are required to be shown to the applicant – only the field which is having some conflict, right? No, even if the DOB which is totally irrelevant in this case of name mismatch, it is shown. Proof below:

Mismatch 2

In case of Name mismatch (field highlighted by pink by the UTI guys), Father Name and DOB are also displayed

With some modification in the script to scrape all this data, we can fetch the DOBs for all the people who are having such mismatch in their application. Later through correlation, we can get the below details for a single applicant:

  1. Applicant’s full name
  2. Applicant’s Father’s full name
  3. Applicant’s DOB
  4. Applicant’s PAN Number
  5. Applicant’s PIN Code and City

This can count as a huge flaw in the design of their application which gives such golden data with very less efforts, and exposes the PII of millions of applicants.

Some suggestions for UTI developer guys:

  • Randomize the application numbers, if possible, and
  • Please do not allow anyone to query your database with a single key. At-least use two keys (e.g. 1. Application Number & Date – Time of application, 2. Application Number & UID Number)
  • Don’t provide the status if it has been a month after the PAN card is received by the applicant

 

(I tried to contact the people at UTI ITSL: their email (utiitsl.gsd@utiitsl.com) bounces back, no-one picks up the phone, and for snail-mail I don’t have the postal stamps)

Eti.

 

 

Advertisements

Truecaller for BSNL Landlines

Here is a portal by BSNL where you can pay your Telephone bills online: https://portal1.bsnl.in/aspxfiles/instaPay.aspx. After a long time BSNL people have started making use of technology for public services, apart from providing basic broadband.

I have been paying my land-line bill online since 6-7 months through the same portal, and I had to provide my phone number and account number at the initial stage, and later I was asked for my bank details for making the payment. I guess people were confused with the account number field, and hence last month BSNL made some changes to the portal text fields. Nowadays we don’t have to provide the account number, and it serves as the Truecaller app for getting the owner’s name. Along with the owner’s name, it gives the outstanding payment details. I think in this way BSNL’s portal is not seriously considering our privacy. Anybody can get the name of the owner and the bill details by just providing their phone-number. It works for individual bills, and not for corporate.

Comparing the BSNL’s portal with Truecaller, it provides better facilities – we can get the verified name of the phone owner (as in BSNL database) and the current bill details. And the best point – unlike Truecaller, we don’t need to provide our authentication details or install the app on our phone for BSNL’s portal. This may not be a security issue for the customers, but it is totally violating the privacy.

(You can give it a try. Visit the Instapay portal. Enter the BSNL land-line number of your friend, and the captcha code. You dont need to provide any mobile number or email address. Click ‘Submit’ and you will be provided the land-line owner’s name and their outstanding amount.)