/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2016/03/ID-10064688.jpg)
French security researcher Robert Baptiste who goes by the name Elliot Alderson on his Twitter account revealed several vulnerabilities in the database of India's state-owned telco Bharat Sanchar Nigam Limited, containing names, passwords and mobile numbers of its 47,000 employees.
Baptiste found multiple issues with different levels of severity and reported them to BSNL, which acknowledged the issues and fixed them. The security researcher said that BSNL's intranet was vulnerable to an SQL injection, allowing an attacker to dump all the information of 47,000 employees from its database.
1) There was a SQL injection in their intranet website. It allows the attacker to dump the all database of the BSNL intranet. It contains the information of 47K+ BSNL employees, Senior officiers' information, BNSL administrators information, retired employee details and more. pic.twitter.com/HTEwtC63wp
— Elliot Alderson (@fs0c131y) March 4, 2018
The French hacker said he was not the first to find this flaw; it had been found by an Indian named Sai Krishna Kothapalli two years ago but his emails and calls to BSNL officers went unanswered. As many as eight other BSNL websites had open directories that allowed anyone to access the database.
“I found this a few days ago, but I'm not the first one to discover it. This issue was discovered by an Indian, kmskrishna, two years ago. He sent mails to BSNL, even called senior officers, but nobody answered him. Once again, it shows the importance for big companies like BSNL to take into account this kind of alert,” he tweeted on Sunday.
Baptiste also pointed out that the BSNL intranet had been attacked by ransomware which went unnoticed. “A monitoring bandwidth system was accessible publicly. BSNL websites had a lot of open directories which allowed everybody to consult their documents. Some sites are down, and some are fixed. calcutta.bsnl.co.in has been fixed,” he said.
The Economic Times said it had communicated with Baptiste who told them he had informed BSNL about the flaws. “I discussed with @BSNLCorporate and a member of their IT team. They (BSNL) have acknowledged the issues and fixed them (after my report),” the researcher said.