Exclusive: BSNL ignores warnings of massive database vulnerability

A prominent whitehat hacker has contacted Tech2.com with details of a massive potential security breach of BSNL’s corporate network, which the public-sector telecom giant has so far failed to respond to. Our contact, who doesn’t want to be named, tells us that his emails to every publicly available contact address, including full details and screenshots, have been ignored for well over a month. It’s only a matter of time before someone with malicious intent takes advantage of the hole, he adds.

The vulnerability exists because BSNL’s enterprise resource planning (ERP) systems as well as its corporate intranet are accessible via the open Internet, and adequate filters and protections are not in place. This might be to make it easy for employees to log on from outside, as a result of shortcuts taken to make daily operations easier, or simple ignorance of the risks involved. Our contact has sent us screenshots as proof that he managed to compromise this system and log in. He was able to craft a relatively simple SQL injection in a PHP string that exposes a database of login credentials, which can be dumped in bulk to any location. It should also be relatively simple for an attacker to use this vulnerability to upload a PHP shell, which is a way for outsiders to execute arbitrary commands on the remote server. This would allow the attacker to give himself access to the entire internal BSNL network with administrator-level privileges. The potential for misuse would be enormous: an attacker could steal any number of records with subscribers’ personal information. 

A PHP shell uploaded on the compromised server. This could allow any attacker to execute arbitrary code on the server and copy entire databases of customers’ personal information.

SQL injections are a common form of attack using SQL statements, which are ordinarily used to administer or manipulate a website’s backend database. The malicious instructions are sneaked in through ordinary information entry fields or the URL itself in the hope that the web server will recognize and execute them instead of the expected behaviour of simply storing information in the database. Hackers (both malicious and ethical) routinely discover new vulnerabilities in server software that allows such code injections. Effective website administrators must make sure their server software is updated as soon as patches for these holes are released, but they must also structure their systems in ways that filter out strings of code and prevent them from being executed. Once a hole is discovered, it would be relatively simple for unauthorized strangers to copy the entire contents of the affected database, potentially including personal information, medical records, financial and banking details etc. Compounding the problem, this information is often not encrypted when it is stored on the server. Such information is extremely valuable to identity thieves and scam artists.

While we obviously cannot disclose the exact nature of the vulnerability, we have verified its existence.

Our own attempts to contact BSNL have been met with equal indifference. New-Delhi-based PRO Mr S K Sinha declined to comment and pointed us towards CMD Mr Chopra, who did not respond to our emails detailing the problem and requesting a comment.