The Federal Election Commission of India has fixed a flaw on its website that was publishing data related to citizen requests for information on voting eligibility status, candidates and political parties in local politics, and technical details of electronic voting machines. Fixed. India is scheduled to hold its next general election in April-May to elect members of the lower house of parliament to form a new government.
The Election Commission of India has fixed a bug in its Right to Information (RTI) portal, which allows citizens to request access to the records of constitutional authorities, state and central government agencies, and private entities that receive significant funding from the Indian government. did.
This bug allowed users to access RTI requests, download transaction receipts, and answer responses shared by officials without properly authenticating the user's login.
Some of the leaked data included the RTI filing date, questions asked, applicant's name and mailing address, applicant's poverty line status, and RTI responses.
Security researcher Karan Saini discovered the bug in February, after the Election Commission, Computer Emergency Response Team of India (CERT-In) and Center for National Critical Information Infrastructure Protection initially failed to respond to his queries. , requested TechCrunch's cooperation in disclosing the bug to the authorities. Request that they be fixed. These bugs were fixed earlier this week following intervention from CERT-In.
“CERT-In is coordinating with the relevant authorities on this issue. Recently, CERT-In was informed by the relevant authorities that the reported vulnerability has been fixed,” the Indian cybersecurity agency said. said in an email to TechCrunch on Tuesday.
The agency also confirmed the revised contents with researchers.
Although RTI applications and responses are not confidential under Indian law, a 2014 Kolkata High Court judgment (PDF) requires authorities to obtain personal data of RTI applicants only if “such “In order to hide such information, especially from websites, and to make it available to the public.” I don't know the details. ”
By default, the Election Commission's RTI portal does not allow you to access individual RTI applications or responses without logging in. In other words, external access to the data and the ability to scrape that data (because it can be accessed without a login) made the flaw a privacy issue. .
The Election Commission of India did not respond to requests for comment.