A “security flaw” in the Punjab State Power Corporation (PSPCL) website has made consumer data accessible to hackers, according to cybersecurity analyst and ethical hacker Sunny Nehra.
The government-owned power utility has around 95 lakh consumers across Punjab.
Nehra said that he discovered the alleged loophole in the PSPCL website while testing out its security when a friend of his had to pay their power bill, according to a report in ThePrint.
Nehra is the administrator of a YouTube channel called ‘Hacks & Security’ with over 32,000 followers. The channel claims to offer “in-depth knowledge of technical stuff”. The namesake website “focuses on improving your knowledge, skills, concepts, vision, approach and understanding regarding the digital world”.
“On 22 March, a friend had to pay their PSPCL electricity bill, so that got me started testing out how secure the PSPCL website was,” Nehra said.
“I was shocked to find a vulnerability that allowed me to access all customer and billing information. Customer name, phone number, resident and email addresses, everything can be extracted,” Nehra added.
Nehra further explained that he had not counted how many customers’ data can be extracted, but it looked like “anyone who has paid a PSPCL bill online might be affected by this”. He had alerted an official at Cert-IN (Indian Computer Emergency Response Team), the nodal agency under the Ministry of Electronics and Information Technology of India that responds to cybersecurity threats as well as an IAS officer in Punjab about the security flaw.
Nehra further pointed out that he had found that the PSPCL website had no proper mechanism to stop malicious codes from being used at the backend to access confidential data.
In response to ThePrint’s queries on the matter, Harjit Singh, the officer on special duty (OSD) to PSPCL Chairman and Managing Director Baldev Singh Sran, said in an email: “The issue reported regarding exposing mobile/email of registered consumers, during voluntary consumer registration, stands addressed.”
However, Nehra said while the PSPCL weblink related to contact registration had been secured, the link related to bill payment was yet to be as of Thursday, the report added.
According to Nehra, the security flaw in the website was due to an ‘Insecure Direct Object Reference (IDOR)’ vulnerability, also known as ‘Broken Object Level Authorisation (BOLA)’.
IDOR vulnerabilities happen when the website’s user authentication process is not designed properly. This can allow users to access more information stored on the website’s servers than they have the right to access.
The report further explained that poor web design leading to an IDOR vulnerability includes showing a parameter like a customer account number in the web link itself.
For example, a link like ‘www.xyz.com/myaccount/uid=12‘ has a parameter called ‘uid’. This value of ‘uid’ can be manually changed to 19, 20 etc to access other web pages.
This way, an attacker can adjust the PSPCL account number parameter using an automated script, so that a computer programme is able to guess and run through all possible values for what can be PSPCL account numbers and access customer information linked to these other account numbers as well.