Let’s go over each website and app in detail. Let’s start with
Recently, Congress launched a new website https://incsmw.in to enroll 5 lakh social media volunteers.
The website and the initiative were heavily promoted by the media.
In his thread, he shares different screenshots of the database as well as the admin section.
Naturally, once this issue came to light, Congress Social Media volunteers went on the defensive and started talking about taking legal action against those who had exposed their database.
The crux of their statement is that the website is safe and secure and whatever data breach happened was due to ‘illegal actions’.
In this post, I will share with you how their website is itself at fault. All their reasonings about ‘illegal access’ is a BIG LIE. You don’t even need ‘access’ to download their database.
All their admin credentials were out in open. Just check this video
If you go to their website https://incsmw.in, you will find that they are enrolling volunteers through a chat-based application where you answer different questions which range from your education to hours per day you are willing to contribute.
For your contact information, they ask for your social media profiles, email, and phone no. The phone no is the only thing that is verified via OTP.
Once you have given all your details, you are added to their database and you officially become a member of the Congress Social Media Team.
Congratulations, you are now ready to change the world, but …….
Do you want to know what is happening in the background? Do you care if your data is secure? If your answer to any of these questions is “yes’, then let's find out.
1. The OTP API
As I had mentioned earlier, mobile no is the only thing they verify while collecting all data. You can write anything in name and email but for phone no they will send you an OTP. The problem is their OTP sending API is as insecure as your ex who dumped you last Valentine's day.
This is the API they are using to send SMS. All you need to send SMS through this API is any mobile number as a parameter.
That’s it. Nothing Else.
So what kind of opportunities does this provide? You can write this short script and it will send as many messages as you want.
In the script, I was only running a loop 10 times over just my own number. If I had a database of mobile numbers (which we will have shortly) what IF I wanted to spam them? I could have just used this script and just changed one line and nothing could have stopped me.
Apart from that, I am sure Congress is paying for each SMS and TRAI has strict regulations about this sort of stuff.
[Update: At the time of writing this, I think they have stopped sending OTPs right now as they are busy working on a fix]
Moving along, let’s talk about the data. What happens to your data once you have successfully registered on their platform?
2. How secure is the data?
Once you verify your OTP, a record is created in the database and all subsequent answers are added to the database by calling this API
As you can see, this is done for each answer that you give.
If you see the screenshot above, you can see the user_id value which in this case is just a ‘number’. Remember this point, it will play an important role later on.
If you right click on the page and go to Inspect and follow along, you can find the client-side code of any website here. Go to Application and then Frames.
Similarly, you can also find the client-side code of https://incsmw.in/admin/login/ on this page. This is the admin section.
Update: Right now it's redirecting to the home page but worry not I had saved it earlier. You can find the code here on Github
If you skim through the code, you will find that it gives out the list of all their APIs which they are using to communicate with their server.
For example, the social_chat_details API provides details of all users. The only thing you need to provide is user_id.
NOTHING ELSE, NO TOKEN, NO SECURITY
Once you hit the API from any client, it provides all kinds of details of users. What kind of details did you ask? Well, here is the API in all its glory when fired in POSTMAN.
If you prefer a beautiful version of the above response, here is the same info in VScode
Now, as you could have guessed it (I hope), this open backdoor entry to their database means to get information of any volunteer, the only thing you have to do is request the API with a different user_id which as we can see is just a ‘number’.
The good thing about using numbers as primary id is that you can add one more to it to get the next one and there will be another entry of that record in the database.
So, all you have to do is again is write a script that calls this API with the next user_ids using a loop counter with different ranges and you can get the information. Then, you can write that information in a .json file, and voila you have their entire database in your hands in few minutes.
All in all, you just need this much code to get all the information.
Here is the output you will get.
Once you have JSON data, you can use any online JSON to CSV converter to get the entire database in CSV format. I have hidden mobile no, Whatsapp no, and email id in this sheet.
3. OTHER APIs
You can run the same process for other APIs as well by just changing the URL and you will have the rest of their database as well. For example-
The second API will need volunteers_id as a parameter instead of user_id but the rest of the process will remain the same.
The volunteer API returns more fields as you can see below.
Apart from that, there are APIs that give out details of total registrations done. If you want, you can get real-time information on how many volunteers they have registered by just sending a request. Again No Security Whatsoever.
Finally, the worst API that they kept public is the DELETE volunteer API.
Just like above, this API also only needs just the volunteers_id and it will delete the user from the database. So….
BASICALLY, YOU CAN DELETE THEIR ENTIRE DATABASE
All you have to do is hit this API using a loop of a range between say 1 to 1000 and all users within that id range will go out of their database as your crush has gone out of your life.
This website was used by the Congress party to register and manage volunteers.
It was facing the same issue as in incsmw.in i.e of unsecured APIs which granted unrested access to their database.
Current Status: The website has been brought down after they learned of the issues.
This was fun!
This is Congress’s website to manage their outward communication through press releases and videos. The party had given login credentials to all the leaders as well as senior leaders. Registered members of the website had access to upload press releases and videos and also authorize new users for different roles etc.
The website is also used to collect suggestion from users about the party.
While viewing their client-side code, I found the list of all the APIs they were using and also that they have pushed API key to production as well.
A little bit of code and I had their super-admin access to do whatever I wanted to do. Here is the video to demonstrate how I got the super admin username and password.
Apart from that, I was able to get access to their entire database of users' credentials and passwords, suggestions given by users, etc.
Current Status: The website has been brought down.
4) congresssandesh Mobile App
If the website was not enough, they also have an app that uses the same backend and has the same functionality as above.
The issue with App remains the same, they added an API key directly which allows anyone to access their APIs and access their database.
Current Status: This app uses the same backend as the above website so right now it is not working properly.
Note: This app is one of the portfolio projects of the company that built it.
This website is managed by Shashi Tharoor’s team to enroll members for the Professional arm of the Congress Party.
The registration process involves you giving your email, password, and mobile number.
The mobile number is verified using OTP. If you see their code, you will find that they are using 2factor to send OTPs. The problem is that they have put the OTP key directly into the website itself.
So, what you can do is just visit this URL with any phone number and it will send an OTP SMS from the congress party.
You can also check their OTP balance by visiting this URL.
If you wanted to get funky, you could easily exhaust their SMS balance by writing this much code and running a loop over any number for as long as you want.
Earlier, I mentioned that congress put their entire database dump on incsmw.in
The DB dump was created on 5th Feb.
The DB dump file is larger than 25 MB and contains almost their entire database. Before incsmw.in, congress used to register its volunteers using the website incsmwarriors.com which is nothing but just a google form.
I suspect that all the data entered till 5th Feb is in this DB dump’s volunteer table.
There are 2670 rows in this table with all their details like name, phone number, social media URLs, etc.
This is again another website that is used by the party to register volunteers. They are doing it through a chat app that only asks you to save the nation by joining congress.
The interesting thing is once you verify your mobile number it only asks for your Voter id card. Apart from that, they don't ask you many questions.
There is a table in the DB dump of congress similar to what they are asking for users to input here.
This table contains 12317 rows which contain identifiable information of volunteers/members like name, mobile numbers(verified), and voter id.
Who built this website?
When I sorted the data with user_id/volunteer_id in increasing order, I found these entries
It looks like the company that was hired to make this website is http://coronation.in
Congress is one of the two major pan-India parties in the country and even they don’t care about the data of their own volunteers then why would anyone else care?
When this initiative was launched, the leader of the Congress party said and I quote
“We also need warriors to defend liberal values, to defend the ideas of compassion, peace, harmony and affection,”
Maybe, start by defending your data first.
After these reports came to light, they have started fixing their websites and in many cases bringing them down entirely.
If they are in process of updating the website, that means that they should at least acknowledge the breach was their own fault and not lie about it publicly.
When this news first came to light, we were told that there are international hackers behind all of it.
You don’t need any international hackers when you put your entire database dump online and also when you put API credentials in the website itself.
7. Code of the Project
I am sharing all the code that I have used here in this post on my Github except the database JSON files, of course.
Here is the link: https://github.com/shashichander009/congdata
Thank you for reading. You can follow me on Twitter: @devzoy