[.c-text-600-2]Some backstory[.c-text-600-2] — In early October, CyberX9’s research team discovered a critical security vulnerability in CDSL — India’s largest securities depository — in early October 2021. CDSL was exposing extremely sensitive personal and financial data of ~43.9 million (~4.39 crore) investors in India. Back then we responsibly reported the vulnerability to them and they took ~7 days to fix the vulnerability while an immediate fix could’ve been done in max two hours.
[.c-text-600-2]Now[.c-text-600-2] — on 29th October 2021, our research team got to work again and within couple of minutes they found a laughably easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. Means, we found CDSL once again, for the second time, exposing same extremely sensitive personal and financial data of ~43.9 million (~4.39 crore) investors as earlier.
[.c-box][.c-box-wrapper]19th Oct 2021: Reported the initial vulnerability exposing sensitive data of ~4.39 crore investors
26th October 2021: Vulnerability gets fixed[.c-box][.c-box-wrapper]
[.c-box][.c-box-wrapper]30th Oct 2021: Reported the new vulnerability again exposing the same sensitive data of ~4.39 crore investors
1st Nov 2021: Vulnerability gets fixed[.c-box][.c-box-wrapper]
Both times data of people being exposed was of those who did their market securities KYC. In India, you’ve to go through a KYC process for investing in securities like stocks, mutual funds, bonds. CDSL’s CVL is a top KYC registration agency approved by the Government of India.
Similar to last time, the discovered issue was an authorisation vulnerability in a public CDSL’s KYC API, leading to exposing the massive amount of sensitive data to the whole internet.
The data included sensitive personal details of people like full name, complete PAN No., gender, marital status, father/spouse’s full name, complete Date of Birth, nationality, complete residential address, complete permanent address, contact number(s), email address, occupation details.
And sensitive financial details like the amount of annual income tax return filed, net worth (along with the date on which it was updated), Demat account number, broker name, and CDSL Client ID.
The data of ~43.9 million (~4.39 crore) people exposed this time again, dates back to around 2005 (when people applied for their KYC back then).
Such data is highly sensitive and can prove fatal for people whose such data gets in the hands of malicious attackers.
Even after our earlier finding of CDSL exposing the same type of sensitive data of ~4.39 crore investors, we strongly questioned the state of security of sensitive personal and financial data of investors by CDSL and overall cyber security posture is visibly extremely horrible at CDSL. And this new finding just proves it more strongly with no improvement from CDSL after our earlier finding.
This was once again a case of sheer negligence by CDSL in securing sensitive client data. The vulnerability wasn’t highly complex this time too for our team to discover. So does any malicious attacker who could’ve discovered it too and stolen all the data. We strongly suspect that the data might’ve already been stolen by malicious attackers. There is a need for a fair security audit of CDSL by the government.
[.c-box-wrapper][.c-box]“has in place a stringent policy and systems to ensure confidentiality of data.” — CDSL mentions on their website[.c-box][.c-box-wrapper]
[.c-box-wrapper][.c-box]Keeps on exposing all of your sensitive data to the whole internet, again and again — truth, in reality [.c-box][.c-box-wrapper]
The nature of the vulnerability here indicates extreme negligence in handling sensitive personal and financial data of people. And that is not something we expect from the largest Indian depository. They clearly do not stand on what they promise about the security and confidentiality of customer data.
The vulnerability is extremally critical due to its massive impact, but the nature of vulnerability found here also indicates horrible security practices at CDSL. That’s why, from our vast experience in the security field, our researchers strongly suspect there might be more such critical security issues in CDSL — potentially resulting in people losing access to their holdings in their CDSL Demat account.
CDSL doesn’t even mention a way to contact their security team (if that even exists) to responsibly report security vulnerabilities. In contrast, most companies nowadays do mention such contact since it helps researchers quickly report security issues to companies.
If you invest in stocks, mutual funds, etc. then you should’ve definitely gone through the market securities KYC and there are good chances your KYC was done by CDSL’s CVL since they are one of the major and biggest KYC registration agency in India — then your data might’ve been exposed due to this vulnerability too. Being a client, you should email/call CDSL to question why they keep on exposing your sensitive personal and financial data. CDSL is also in breach of Right to Privacy which is a constitutional right to every Indian.
[.c-mb-40]This is extremely sensitive data which is usually the base information needed for many malicious attacks against individuals and organisations. And we ourself have found CDSL exposing that level of sensitive data of ~4.39 crore investors, twice. Though there is an indefinite number of possible malicious use cases for such highly sensitive data of millions of people, below are few to give people an idea.[.c-mb-40]
[.c-text-bg-pink]1.[.c-text-bg-pink] The information exposed by CDSL could be a virtual gold mine also for phishers and scammers involved:
[.c-row-flex][.c-box-pink]“Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication.” — SearchSecurity[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]
1. in so-called Business Email Compromise (BEC) scams, which often impersonate brokers, banks, and businesses in a bid to trick individuals and companies into transferring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.
2. in scams, extortion calls to filtered individuals based on their financials from this exposed data.
3. in scam calls pretending to be from the victim's bank or Income Tax Department or some other institution and getting the victims to trust by telling them their sensitive personal and financial details being exposed from this vulnerability.
4. in income tax refund scams.
[.c-mb-40]Armed with such access to CDSL KYC data, phishers and scammers would have an endless supply of compelling scamming templates for calls and emails to use. A database like this would also give fraudsters a constant feed of new investors getting KYC to target them.[.c-mb-40]
[.c-text-bg-pink]2.[.c-text-bg-pink] Also, there is a possibility of malicious people as part of identity theft, open bank accounts, take loans, and similar using this exposed data. In market securities KYC (of which data was being exposed), people have to give much more information than any other type of KYC.
[.c-text-bg-pink]3.[.c-text-bg-pink] This data can be used to disrupt the Indian share market. It’s a gold mine for malicious attackers looking to spread misinformation to manipulate Indian share markets. There are malicious actors always actively trying to spread misinformation to manipulate markets, but reaching the real investors (essentially, the new investors who are more vulnerable to misinformation) also including high-net-worth investors is a hurdle, but with access to such data of investors, they can disrupt and manipulate the share markets much more efficiently. This data can also be used by enemy countries to disrupt Indian markets.
[.c-text-bg-pink]4.[.c-text-bg-pink] People commonly use the type of information been exposed here as their passwords and security questions to services. That’s why it can also lead to people’s social media, emails, and other accounts being hacked by malicious attackers using their information from this expose.
[.c-text-bg-pink]5.[.c-text-bg-pink] Such sensitive personal and financial data expose of massive numbers of people easily leads to things like financial fraud, identity theft, and exposing people to things like extortion, targeted attacks against people, etc. An attacker can also possibly use this sensitive information to attack investors Demat accounts that hold mutual funds, equity shares, etc. The type of data being exposed is also used for secret questions for multiple services like net banking and verification on call for executing trades on many brokers.
[.c-text-bg-pink]For years,[.c-text-bg-pink] governments have been imposing hefty fines on companies for exposing and leaking customer data worldwide. But in India, there has not been any such significant example. Under the GDPR law of the European Union, even when a company clearly didn’t take reasonable security steps to secure sensitive data, the companies got hefty fines.
Some prominent past incidents of such fines:
[.c-row-flex][.c-box-pink]“In July 2019, Equifax settled a lawsuit stemming from its 2017 data breach, which exposed the personal information of 147 million people. Under the settlement with the FTC, CFPB and state attorneys general, Equifax has agreed to spend up to $425 million to help people affected by the data breach.” — Source[.c-box-pink][.c-text-column][.c-text-column][.c-row-flex]
Under GDPR law, famously British Airways and Marriott have all received fines over €10,000,000 for GDPR violations where they exposed customer data and were fined for insufficient technical and organisational measures to ensure information security (similar to CDSL). You can see other fines made under GDPR privacy law for cyber security negligence here.
Since last time we failed to get any reply from CDSL when we directly tried to report to them and CDSL only fixed the data expose vulnerability after we reported to CERT-In and NCIIPC. So this time we reported straightaway reported through the Government of India’s CERT-In and NCIIPC, which coordinates responsible disclosure of critical vulnerabilities in India.
[.c-box-wrapper][.c-box]Even this time what could’ve taken a maximum of 2 hours, took around 3 days for CDSL to secure their systems to stop the exposure of sensitive data of ~4.39 crore people[.c-box][.c-box-wrapper]
CDSL once again exposes sensitive data of ~4.39 crore people to the whole internet. Don’t have a proper way to report the security issue. Doesn’t reply. Again keeps the sensitive data being exposed and put ~4.39 crore people at risk even after being informed for ~3 days.
CDSL finally fixed the vulnerability around on 1st November 2021 after reports from CERT-In and NCIIPC.
Below is our timeline of communication with both CERT-In and NCIIPC.
30th Oct 2021: Reported to CERT-In
31st Oct 2021: They first responded the next day of our email, saying:
[.c-box-wrapper][.c-box]“Thank you for reporting this vulnerability to CERT-In. We have registered this issue under CERTIn-46107421. CERT-In appreciates your vulnerability report and we are now in process taking appropriate action with the concerned authority on priority basis.” And CERT-In requested to not to disclose publicly about this before the vulnerability gets fixed.[.c-box-wrapper][.c-box]
31st Oct 2021: We replied saying that we agree and won’t disclose publicly before the vulnerability gets fixed.
1st Nov 2021: CERT-In replied:
[.c-box-wrapper][.c-box]“The concerned organization has confirmed to us, that reported vulnerability is fixed now. You may also verify at your end and confirm to us.”[.c-box-wrapper][.c-box]
1st Nov 2021: We replied confirming that the vulnerability is no longer exploitable.
30th Oct 2021: Reported to NCIIPC
1st Nov 2021: They replied to us:
[.c-box-wrapper][.c-box]“1. We acknowledge the issue reported by you. 2. We are in the process of verification and remediation in coordination with the respective stakeholder(s) and look forward to your continued contribution.”[.c-box-wrapper][.c-box]
— No confirmation by NCIIPC if the vulnerability has been fixed or any update received after that from NCIIPC till today after that —
Same as what we expected earlier but nothing happened other than CDSL once again exposing sensitive data of ~4.39 crore people. Ministry of Finance and SEBI, which regulates CSDL, should order a fair, thorough security audit of CSDL. To discover any past incidents when and how much data CSDL has leaked of its customers. It’s a big issue if the nation’s biggest securities depository has such a poor cyber security posture and handles sensitive customer data with such negligence.
CDSL should itself also get comprehensive security testing done of its applications to check for more vulnerabilities.
We strongly recommend companies not to take cyber security as an optional thing but as one of the most important things to do. All companies should do regular security testing of their applications to avoid such security vulnerabilities. Especially companies like CDSL, which handles massive amounts of sensitive and confidential data of millions of people, should have continuous security testing of their applications done by skilled security engineers.
Subscribe to our newsletter to get our upcoming findings in your inbox!
Press: for any questions or request of evidence relating to this finding, feel free to contact us at firstname.lastname@example.org
We won't spam you but only send content you'll like and you can unsubscribe anytime.