GUWAHATI, Jan 17 - Though the security loopholes in the Government of Assam�s e-Wallet, Tokapoisa.in which were detected by a young security researcher have been fixed to a certain extent, citizens now feel that as the platform is all about money and transaction, its security should be the first priority of the developers.
The flaws in this platform were pointed out by Indrajeet Bhuyan, a 19-year-old security researcher from Guwahati who previously made the smallest possible code of 2kb which could crash WhatsApp and affected 500 million people, and also reported security holes in the WhatsApp web client, that in some way exposes its users� privacy.
It needs to be mentioned that in August 2015, Indrajeet found a flaw in the Indian banking system affecting 20,000+ Indian banks, using which an attacker can see the bank balance and transaction history of anyone. His work on banking flaw got selected in Ground Zero Summit, Asia�s foremost information security conference 2015.
Indrajeet was invited by various international security conferences like Toorcon California, Andsec Argentina etc. He has contributed security to various companies and organisations like HTC, Samsung, Photobucket, Reverbnation, TVF etc.
�The e-Wallet, Tokapoisa.in, which was launched to enable the people of the State have hassle-free online transactions in the local language, had a few serious security flaws in it which I detected on the day of its launch itself, which could be used to completely take over anyone�s account,� said Indrajeet, adding that anyone with a little knowledge of hacking could easily bypass the security features and misuse it.
Indrajeet said that such flaws can be considered if the app is in testing phase, but since the app was launched and made public, it clearly indicated that the developers failed to recognise such basic flaws during their testing phase.
The flaws that Indrajeet detected and then informed the authorities concerned, have been fixed.
The serious flaw in the e-Wallet was that anyone with a sinister design could bypass the OTP Verification while signing in. �There was no password verification, user needed to enter their phone number and an OTP was sent to their phone and once they entered the OTP, the user could sign in. Only one level of authentication was used, which is OTP. So, if an attacker bypasses the OTP he can have access to anyone�s wallet and misuse it. Once he is inside, he can make payments, steal money etc. While registering, it does not ask the user to verify, which means an attacker can register anyone�s number,� explained Indrajeet.
There was a directory listing flaw in the website by which an attacker could see all the files that are in the directory.
�There was no SSL certificates or Secure Sockets Layer in the site. SSL certificates are typically installed on pages that require end-users to submit sensitive information over the Internet like credit card details or passwords. But in the tokapoisa site there was no SSL, which means that the connection was not secured. This was the first website I saw which dealt with money and didnt have any SSL certificate,� mentioned Indrajeet.
The e-Wallet is a joint venture developed by Amtron and ICICI Bank.
�Since all the flaws were very serious, I wanted them to fix them as soon as possible because if it went to the wrong hands then they might misuse it. I demonstrated the flaws, which then got fixed,� said Indrajeet.
