Appsec · August 20, 2023 0

PII information Disclosure, All IAS officers including secretaries, Denial & Silent Fix

This is the easiest bug I have found by far in my overlong career, So it wouldn't be long blog. My parents always told me to look forward to being like Mr. Arvinda Padhee, my hometown IAS officer. I started searching for information about him on Google and other places. After searching in WaybackURLS and Cache endpoints, found a URL - https://supremo.nic.in/eo/ERSheetHtml1.aspx?OffIDErhtml=15838&PageId=xxxxxxxxxxx

Which is already authenticated. You can change OfficerID=xxxx to see other officers' information, very easy to automate and scrap information.

I reported this issue but didn't get a response. I reminded them again after 30 days. Usual govt office delays.

But all this information can be found on ER sheet know your IAS? Not exactly as you can see caste information, signature, thumbprints in some cases, and other information with this issue, which are not there in ER SHEET.

I noticed after a few days that the issue had been fixed, but I was not informed. I mailed them & got the below response. Surely not a User-enumeration 😏

With the new Digital Personal Data Protection Bill introduced, the question remains who will ask penalty from govt? In many cases, Govt is not able to identify which data should be public and which one should be private. For example, the below one, where the complainant's information (address, phone no, etc) is disclosed to the public.

Spread the love