In the lead-up to India’s crucial general elections scheduled for April-May 2024, a timely intervention has addressed a set of critical security vulnerabilities on the Election Commission of India’s (ECI) Right to Information (RTI) portal, according to a report from TechCrunch.
The flaws, highlighted by security researcher Karan Saini, were present within the Election Commission’s RTI portal. The portal malfunctioned in a manner that allowed unauthorized individuals to view RTI requests submitted by Indian citizens. This could have potentially exposed the nature of inquiries posed to the ECI, raising concerns about the confidentiality of information sought by citizens exercising their right to transparency under the RTI Act. Furthermore, having unfettered access to downloadable transaction receipts associated with RTI applications could have compromised details such as filing dates, potentially enabling malicious actors to track RTI application activity.
The security lapse might have allowed unauthorized parties to view responses formulated by Public Information Officers (PIOs) in response to RTI requests as well, and perhaps what’s most concerning is that the vulnerabilities exposed various elements of personal data pertaining to RTI applicants. This included names, mailing addresses, poverty line status, and other details that could be misused for malicious purposes.
For those who are unaware, the RTI portal is an online platform mandated by the Right to Information Act 2005 in India. Currently, it empowers Indian citizens to file RTI applications and appeals electronically to various government bodies, and is known for facilitating requests for information on government functions and ensuring timely responses. The portal also provides a gateway to access RTI-related resources and information about Public Information Officers (PIOs) who handle RTI requests.
If the critical security vulnerabilities identified on the Election Commission of India’s Right to Information (RTI) portal had not been promptly addressed, the consequences could have been severe and far-reaching. For example, having unauthorized access to citizens’ personal data, including their names, addresses, and poverty line status, could have led to significant breaches of privacy. Such sensitive information, if exposed, might have been exploited for malicious purposes, including identity theft, fraud, or harassment. Not to mention the fallout and the backlash that the Election Commission would have faced (including potential legal liabilities).
Saini discovered the vulnerabilities last month. Despite attempts to notify the Election Commission, the Indian Computer Emergency Response Team (CERT-In), and the National Critical Information Infrastructure Protection Center, no immediate action was taken. The bugs were ultimately addressed earlier this week following CERT-In’s intervention.