Source code and records of Integrated Road Accident Database of India breached
Take action: Never store credentials in source code, because every source code will eventually leak. And never store cleartext passwords. Users are already lazy enough to recycle passwords, don't add a layer of stupid.
Learn More
The Integrated Road Accident Database (iRAD) website, a critical initiative under the Ministry of Road Transport and Highways in the Government of India has been breached. The breach revealed that the source code of the iRAD website had been leaked and shared on an underground cybercrime forum.
The leaked source code, totaling 165 MB and primarily written in PHP, exposed sensitive assets including
- hostnames,
- database credentials,
- passwords.
The simplicity of certain passwords identified by cybersecurity analysts poses a potential vulnerability for brute-force attacks if the servers can be accessed - either remotely or from within the networks of iRAD.
Analysis of the leaked source code revealed disconcerting vulnerabilities:
- References to the NIC SMS Gateway (sms.gov.in) within the code could provide unauthorized individuals with the ability to send messages to Indian nationals.
- Embedded URLs contained fields for usernames and passwords, raising concerns of unauthorized access.
The same threat actor responsible for sharing the source code on August 7, 2023, subsequently released a sample dataset comprising 10,000 user records obtained from a vulnerable API endpoint on the iRAD website. The breach exploited an SQL injection vulnerability, which was trivial to be identified since the source code was available for reference.
The leaked dataset includes sensitive user information such as
- user IDs,
- names,
- emails,
- mobile numbers,
- plaintext passwords.
Security researchers have notified the Ministry of Road Transport and Highways, Government of India, about the breach, urging immediate actions to secure the iRAD website and safeguard sensitive user data.
