A French cyber security researcher and ethical hacker on Monday morning tweeted that official website of Indian Prime Minister Narendra Modi has been compromised and that someone unauthorised already has access to full website data. The hacker, who goes by name of Elliot Alderson on Twitter, says that the person who has unauthorised access to narendramodi.in uploaded a simple text file on the site server as a proof and then alerted him.
Alderson’s real name is Robert Baptiste and he is fairly well-known in India because of his challenges to UIDAI after he found security loopholes and bugs in India’s Aadhaar programme and Aadhaar app.
From his latest tweet it is clear that Baptiste is not the one who got the access to narendramodi.in servers. He says that someone else did it and then alerted him.
Update: It seems that the team that runs Modi’s website noticed tweet from Baptiste and quickly got in touch with him. The French hacker tweeted, “Contact has been done with their team… I had a nice chat with the narendramodi.in team. They will take the appropriate measures and solve the issue.”
Earlier Baptiste had tweeted: “Hi @narendramodi, A security issue has been detected on your website. An anonymous source uploaded a txt file containing my name on your websites in realtime. He also have a full access to your database. You should contact me in private and start a security audit ASAP!”
In his next tweet, Baptiste clarified, “PS: The vulnerability is working for the staging subdomain but also for the main website PS1: I didn’t upload this file, I’m not that stupid. PS2: The source deleted the file on my request just after I see it.”
A security issue has been detected on your website. An anonymous source uploaded a txt file containing my name on your websites in realtime. He also have a full access to your database. You should contact me in private and start a security audit ASAP!
— Elliot Alderson (@fs0c131y) January 14, 2019
If what Baptiste says is accurate it potentially gives the person who has unauthorised access to Modi’s website almost full control over the site. Baptiste says that the person has full access to data stored on the website, and while it is possible that this data may not contain sensitive details about the Indian Prime Minister, it may reveal a lot about the website itself, including how many users it has, the details of these users as well as may allow the person with unauthorised access to deface the website.