Indian Passport website hacked by Amateur – Makes money by blocking Tatkal Appointments

10

Many of our government websites are open for attacks – So open that even an amateur can gain easy access to them.

Imagine, a small time data entry operator was able to get through the Firewalls and gain access to NIC servers. Not only that, he managed to remain hidden for over 4 months without anyone knowing about this whole thing.

It only came to light when Hyderabad police busted a gang of seven persons who were charging a hefty fee for getting confirmed appointments for submitting passport applications under Tatkal scheme.

passport-online-application

Here is the story – This Hyderabad based DTP Operator used to work at an agency to fill client forms online. During the course of his work, he found bugs in the Passport website with the help of which he could access the NIC server and succeeded in submitting the passport applications with confirmed dates under the Tatkal scheme even though the dates were yet to be officially released by the passport authorities !

With all the appointments gone, general public were never able to get the appointments under Tatkal Passport scheme. The hacker (if you can call him one..) then tied up with all the travel agents and sold each of these appointments to general public for 3000 to 5000 rupees each.

Surprisingly, during these 4 months, the website administrators fixed some of the bugs which were also circumvented.

This seriously goes to show the lax state of security on Government run websites. Luckily, this was a small time guy trying to make some quick moolah. It could very well have been case of passport applicants database being compromised. Imagine, what would have happened with that kind of information in wrong hands.

I think it is high time NIC pulls up their socks and ensures air-tight security on these websites!

  1. Altaf Rahman says

    I heard that in developed countries there are hackers associations, who get business in the development of creating new sites. Some companies offer them money for breaking their site to check its viability.

    I feel the guys responsible for this site should be sacked and the guy who hacked it should be given the job instead of punishing him and ending his carrier. As it was evident he was a normal guy who accidentally found that it can be hacked. So he must be a normal guy.

  2. Altaf Rahman says

    Hello @Above,

    I think your name suggests “[email protected] (upar ka dabba khali)
    Just read what you have written. Its a hallow comment without substantiating any thing. The author has shown the incident of hacking as a proof.

    Still you get hot only indicates to the fact that you might be the one working there and will loose your job soon and getting angry with every one who is laughing at your skill.

    Or may be you are the son of that lazy burocrat on whose haram ki kamai you grow up developing high life and worried about becoming sadak chap once ur dad looses job.

    Just and learning how to type few words in blogs is not sufficient. Come up with some thing with stuff. Till then people will think you are a “6” in cricket terms.

  3. @Above says

    You are crying uselessly.
    NIC security is validated world wide.
    U bastards how u dare to say such shame words.

  4. An Indian Citizen says

    This is pathetic!! How did they find the guy? Was he still working for the passport office?

  5. Madhav Shivpuri says

    Pathetic – the Information security person should be fired and new controls put in place.

    @Hussain – checked your post and from there – http://gurgaon.nic.in/edisha.htm
    The pics on the page are a wonderful indication of our govt. offices and the website shows the amateurish way the agencies deem their websites and their work.

  6. Hussain says

    NIC is a shame to country’s IT services. Full of bad practicies. Check my blog on one of their sites. Simply pathetic..

    http://blog.hussulinux.com/2010/04/shame-on-you-nic-national-informatics-center/

Leave A Reply

Your email address will not be published.

who's online