In November 2011, Mr. Umar Saif took the charge of chairman PITB (Pakistan Information Technology Board) with a vision that he bring about a digital revolution in Punjab. As a result decades old sensitive government like Police Record, Land Record and such was digitize. It was a great achievement if it had stopped there. Without thinking through its implications, he started to make this confidential public along with the bio of 200 million Pakistani citizens acquired from NADRA through various APIs. Mobile apps and portals without any proper cybersecurity control were made for govt. officials having direct access to Nadra, Teleco and PITB . These apps and credentials to the portals got leaked over time and now in the hands of 15 year old kids who are selling it online for 200 rupees per copy. This is an alarming situation for the entire nation. All of their non-renewable is leaked and in the hands of anti-state and criminal actors.

Objective of this Post

  1. Identify all leaked datasources
    1. Current data access state
    2. Identify how widespread it is by now
    3. Is it a PITB subsidiary or any other govt. body
    4. Does it have Nadra data involvement
    5. Does it have Teleco data involvement
    6. Samples of the leaked data
  2. Identify leaker/dealers
    1. Screenshots of the conversations made with the sellers
    2. Their PII including real names, CNIC, mobile phone numbers
    3. Mode of payment

Recommendations from ‘InfoSec Team’

  1. NADRA should revoke all the APIs of PITB and any other govt or private body until they get through a comprehensive assessment
  2. PITB should take down all of these APIs and portals from the open internet immediately and change all IP addresses, API endpoints
  3. PITB should hire a proper security professionals team and get a comprehensive security assessment of all of their apps and datacenter for any potential backdoors and vulnerabilities
  4. Supreme court of Pakistan must launch an inquiry into this matter to find out the real culprit behind this massive data leak. It should be found out who was responsible for ensuring the security of these apps and APIs
# Leaked data sources Features/Data items How current? Current state Data format App URL / Upload link PITB? NADRA? Telco? Top sellers Data Evidence/SS
1 Pakistan vs World XI mobile app Cnic info , renter info and other Latest, 2018 Down Mobile app with Punjab Job Portal Api Punjab job portal Yes Yes Yes Appendix A
2 Agriloan portal

(Farmer database)

Pic + CNIC of any person Latest, 2018 Down Online portal access http://agriloan.punjab.gov.pk/user/login Yes Yes No Appendix B
3 CDR data SMS & Call record of any mobile number Last 3 months Working Online portal access (TELCO CRM ) Various people have CRM access via VPN of all telcos N/A No Yes Appendix C
4 Teleco dump MDB databases containing registered mobile per telecom operator 2004-17 Still valid VM, MS Access, SQL Databases [See links section] No No No Appendix D
5 Police toolkit Criminal History, Renters record Latest, 2018 Down Punjabpolice.gov.pk Mobile App .apk being distributed on and whatsapp groups Yes Yes Yes Appendix E
6 Person Tracker Mobile phone tracking, Geo coordinates N/A Working Pakdata.ml application https://play.google.com/store/apps/details?id=com.database.persontracker.lite&hl=en Yes Yes Yes Appendix F
7 Nadra Family Tree Full B form details including family bio data Latest, 2018 Not sure Images of the files Hidden / facebook sellers have it N/A Yes No Appendix G

CNIC details extracted from World Cup app

 - 1 169x300 - NADRA Database of 200M User Hacked - 2 169x300 - NADRA Database of 200M User Hacked - 4 171x300 - NADRA Database of 200M User Hacked - 3 191x300 - NADRA Database of 200M User Hacked

A vulnerable Android app made by PITB for police during PAK vs World XI cricket match in Lahore, gives info on hotel check-ins and criminal record

CNIC details extracted from farmer portal (agriloan login)

- 1 300x218 - NADRA Database of 200M User Hacked - 2 300x276 - NADRA Database of 200M User Hacked

Sample data extracted from the live systems of NADRA’s API exposed by PITB in one of its public portal, ‘Agriloan’

CDR data evidence

- 5 300x149 - NADRA Database of 200M User Hacked

While this seems unrelated to the PITB leak incident, people have VPN access to CRM of multiple telcos

- 6 300x195 - NADRA Database of 200M User Hacked

CDR (Call data records) of upto last 3 months can be purchased for 2000 per number

Offline database dumps of Telecom data

- 7 300x169 - NADRA Database of 200M User Hacked

Archives contain different telecom databases which contains accurate bio data up to 2016

- 8 300x157 - NADRA Database of 200M User Hacked

People have made desktop applications connected with these offline databases and selling them openly

- 9 300x185 - NADRA Database of 200M User Hacked- 10 300x178 - NADRA Database of 200M User Hacked- 11 300x189 - NADRA Database of 200M User Hacked

Database sample of a customer PII from a telecom company leak through their APIs exposed to PITB apps

Police Toolkit leaking bio, driving license, criminal record, vehicle ownership data

- 13 300x280 - NADRA Database of 200M User Hacked - 14 169x300 - NADRA Database of 200M User Hacked

Another PITB vulnerable web & mobile app for police investigation that is being abused by sharing the credentials and APK files among the police officials

Person Tracker App linked with PakData.ml/cf

- 15 169x300 - NADRA Database of 200M User Hacked - 16 169x300 - NADRA Database of 200M User Hacked - 17 169x300 - NADRA Database of 200M User Hacked - 18 169x300 - NADRA Database of 200M User Hacked

Another criminal group has extracted PITB APIs and dumped the data and connected it with their apps available on the playstore

Traffic police license record & Tenant Rentee Record

- 19 Copy 173x300 - NADRA Database of 200M User Hacked - 20 202x300 - NADRA Database of 200M User Hacked

PITB apps expose complete access to the traffic police driving license and citizen’s tenant record

Pak vs World XI app Requests

Sample (unprotected) API calls captured from the PITB apps shows the apps are made and hosted in PITB datacenter

Sample (unprotected) API calls captured from the PITB apps shows the apps are made and hosted in PITB datacenter

Sample API call captured from the PITB app, clearly shows the data it returns without any security authentication in place

Dozens of secret and public Facebook & Whatsapp groups are operating to sell all kind of secret data leaked from PITB

  1. https://hoteleye.punjab.gov.pk/
  2. http://mspc.punjab.gov.pk/
  3. http://eproc.punjab.gov.pk/
  4. http://mis.ppra.punjab.gov.pk/login/
  5. http://services.punjab.gov.pk/_login/
  6. http://roster.punjab.gov.pk/
  7. https://policereport.punjab.gov.pk/
  8. http://dashboard.tracking.punjab.gov.pk/
  9. http://sms.punjab.gov.pk/
  10. http://mis.hed.punjab.gov.pk/
  11. http://tracking.dgip.gov.pk/
  12. http://fars.pitb.gov.pk/admin/
  13. http://mail.e.pra.punjab.gov.pk/Mondo/lang/sys/login.aspx
  14. https://cims.punjab.gov.pk/dashboard/login
  15. http://crolahore.punjabpolice.gov.pk/
  16. http://crolahore.punjabpolice.gov.pk/login/process_login
  17. https://ctdfir.punjab.gov.pk/
  18. http://202.83.173.90/FIR/login
  19. https://www.pitb.gov.pk/hotel_eye
  20. https://www.pitb.gov.pk/iasb
  21. https://www.pitb.gov.pk/sis
  22. http://fc.punjab.gov.pk/services/
  23. https://es.punjab.gov.pk/eStampCitizenPortal/ChallanFormView/VerifyStamp
  24. http://ureport.punjab.gov.pk/
  25. https://fir.punjabpolice.gov.pk/login

PITB has made scores of such critical portals public that are likely to get exploited in the coming days due to no security controls in place

NADRA and PITB Hacked ?

NADRA and PITB may deny any claims of NADRA being hacked but when data is fed over APIs with no check and balance it is no less than being Hacked . If your confidential data is sold at $2 , it shows the lack of Cyber Security and untill they do not bring all those who sold data we can only say that NADRA was hacked.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here