How Congress IT Cell Compromised their own Database?

Summary: The backend and database systems of India’s current opposition party- The Indian National Congress have been leaking data of their leaders and volunteers. I looked at some of their websites and here are the results

Let’s go over each website and app in detail. Let’s start with

1) incsmw.in

The website and the initiative were heavily promoted by the media.

Yesterday it came to light that the data collected through this website was not secure. This issue was first exposed by a Twitter user @rsgovin in this thread.

In his thread, he shares different screenshots of the database as well as the admin section.

Naturally, once this issue came to light, Congress Social Media volunteers went on the defensive and started talking about taking legal action against those who had exposed their database.

The crux of their statement is that the website is safe and secure and whatever data breach happened was due to ‘illegal actions’.

In this post, I will share with you how their website is itself at fault. All their reasonings about ‘illegal access’ is a BIG LIE. You don’t even need ‘access’ to download their database.

All their admin credentials were out in open. Just check this video

If you go to their website https://incsmw.in, you will find that they are enrolling volunteers through a chat-based application where you answer different questions which range from your education to hours per day you are willing to contribute.

For your contact information, they ask for your social media profiles, email, and phone no. The phone no is the only thing that is verified via OTP.

Once you have given all your details, you are added to their database and you officially become a member of the Congress Social Media Team.

Congratulations, you are now ready to change the world, but …….

Do you want to know what is happening in the background? Do you care if your data is secure? If your answer to any of these questions is “yes’, then let's find out.

From here on, I will have to go a little bit into the tech side of things but I will not bore you with the technical bullshitery, so just read along. I will try to add screenshots wherever possible. I will share code written in JavaScript-which is the Ranveer Singh of Programming Language so just like him, please bear with code as well.

1. The OTP API

https://www.incsmw.in/api/services/workerOtp

This is the API they are using to send SMS. All you need to send SMS through this API is any mobile number as a parameter.

That’s it. Nothing Else.

So what kind of opportunities does this provide? You can write this short script and it will send as many messages as you want.

In the script, I was only running a loop 10 times over just my own number. If I had a database of mobile numbers (which we will have shortly) what IF I wanted to spam them? I could have just used this script and just changed one line and nothing could have stopped me.

Apart from that, I am sure Congress is paying for each SMS and TRAI has strict regulations about this sort of stuff.

[Update: At the time of writing this, I think they have stopped sending OTPs right now as they are busy working on a fix]

Moving along, let’s talk about the data. What happens to your data once you have successfully registered on their platform?

2. How secure is the data?

https://www.incsmw.in/api/services/update_user

As you can see, this is done for each answer that you give.

If you see the screenshot above, you can see the user_id value which in this case is just a ‘number’. Remember this point, it will play an important role later on.

Moving along…………..

If you right click on the page and go to Inspect and follow along, you can find the client-side code of any website here. Go to Application and then Frames.

This is written in Angular JS which I have heard is the Amitabh Bacchan of JavaScript frameworks. Old, Reliable but I am yet to learn it.

Similarly, you can also find the client-side code of https://incsmw.in/admin/login/ on this page. This is the admin section.

Update: Right now it's redirecting to the home page but worry not I had saved it earlier. You can find the code here on Github

If you skim through the code, you will find that it gives out the list of all their APIs which they are using to communicate with their server.

For example, the social_chat_details API provides details of all users. The only thing you need to provide is user_id.

NOTHING ELSE, NO TOKEN, NO SECURITY

Once you hit the API from any client, it provides all kinds of details of users. What kind of details did you ask? Well, here is the API in all its glory when fired in POSTMAN.

If you prefer a beautiful version of the above response, here is the same info in VScode

Now, as you could have guessed it (I hope), this open backdoor entry to their database means to get information of any volunteer, the only thing you have to do is request the API with a different user_id which as we can see is just a ‘number’.

The good thing about using numbers as primary id is that you can add one more to it to get the next one and there will be another entry of that record in the database.

So, all you have to do is again is write a script that calls this API with the next user_ids using a loop counter with different ranges and you can get the information. Then, you can write that information in a .json file, and voila you have their entire database in your hands in few minutes.

All in all, you just need this much code to get all the information.

Here is the output you will get.

Once you have JSON data, you can use any online JSON to CSV converter to get the entire database in CSV format. I have hidden mobile no, Whatsapp no, and email id in this sheet.

3. OTHER APIs

  1. https://www.incsmw.in/api/services/google_form_socialchat/details
  2. https://www.incsmw.in/api/services/volunteers/details

The second API will need volunteers_id as a parameter instead of user_id but the rest of the process will remain the same.

The volunteer API returns more fields as you can see below.

Apart from that, there are APIs that give out details of total registrations done. If you want, you can get real-time information on how many volunteers they have registered by just sending a request. Again No Security Whatsoever.

Finally, the worst API that they kept public is the DELETE volunteer API.

Just like above, this API also only needs just the volunteers_id and it will delete the user from the database. So….

BASICALLY, YOU CAN DELETE THEIR ENTIRE DATABASE

2) congressmembership.com

It was facing the same issue as in incsmw.in i.e of unsecured APIs which granted unrested access to their database.

Current Status: The website has been brought down after they learned of the issues.

3) congresssandesh.com

This is Congress’s website to manage their outward communication through press releases and videos. The party had given login credentials to all the leaders as well as senior leaders. Registered members of the website had access to upload press releases and videos and also authorize new users for different roles etc.

The website is also used to collect suggestion from users about the party.

While viewing their client-side code, I found the list of all the APIs they were using and also that they have pushed API key to production as well.

A little bit of code and I had their super-admin access to do whatever I wanted to do. Here is the video to demonstrate how I got the super admin username and password.

Apart from that, I was able to get access to their entire database of users' credentials and passwords, suggestions given by users, etc.

Current Status: The website has been brought down.

4) congresssandesh Mobile App

The issue with App remains the same, they added an API key directly which allows anyone to access their APIs and access their database.

Current Status: This app uses the same backend as the above website so right now it is not working properly.

Note: This app is one of the portfolio projects of the company that built it.
http://coronation.in/wp-content/themes/coronation/assets/pdf/Coronation_Presentation_For_Web-1.pdf

4) profcongress.com

The registration process involves you giving your email, password, and mobile number.

The mobile number is verified using OTP. If you see their code, you will find that they are using 2factor to send OTPs. The problem is that they have put the OTP key directly into the website itself.

So, what you can do is just visit this URL with any phone number and it will send an OTP SMS from the congress party.

https://2factor.in/API/V1/c0b8a159-032e-11e8-a328-0200cd936042/SMS/<phoneno>/AUTOGEN/profcong%20OTP

You can also check their OTP balance by visiting this URL.

https://2factor.in/API/V1/c0b8a159-032e-11e8-a328-0200cd936042/BAL/SMS

If you wanted to get funky, you could easily exhaust their SMS balance by writing this much code and running a loop over any number for as long as you want.

5) incsmwarriors.com

The DB dump was created on 5th Feb.

The DB dump file is larger than 25 MB and contains almost their entire database. Before incsmw.in, congress used to register its volunteers using the website incsmwarriors.com which is nothing but just a google form.

I suspect that all the data entered till 5th Feb is in this DB dump’s volunteer table.

There are 2670 rows in this table with all their details like name, phone number, social media URLs, etc.

6) congressmembership.in

The interesting thing is once you verify your mobile number it only asks for your Voter id card. Apart from that, they don't ask you many questions.

There is a table in the DB dump of congress similar to what they are asking for users to input here.

This table contains 12317 rows which contain identifiable information of volunteers/members like name, mobile numbers(verified), and voter id.

Who built this website?

It looks like the company that was hired to make this website is http://coronation.in

5. Summary

When this initiative was launched, the leader of the Congress party said and I quote

“We also need warriors to defend liberal values, to defend the ideas of compassion, peace, harmony and affection,”

Maybe, start by defending your data first.

6. UPDATE

If they are in process of updating the website, that means that they should at least acknowledge the breach was their own fault and not lie about it publicly.

When this news first came to light, we were told that there are international hackers behind all of it.

You don’t need any international hackers when you put your entire database dump online and also when you put API credentials in the website itself.

7. Code of the Project

Here is the link: https://github.com/shashichander009/congdata

Thank you for reading. You can follow me on Twitter: @devzoy

Jai Hind!

Automation and data geek. Twitter: @devzoy

Get the Medium app