Vulnerable Endpoint of Indian Government Parivahan Website Exposed Source Code & 10K User Sensitive Records Including Government Officials’ IDs

On August 2, 2023, CloudSEK's XVigil AI platform found a threat actor sharing iRAD's road safety database source code, a Government of India initiative, on a cybercrime forum.
Updated on
August 12, 2023
Published on
August 12, 2023
Subscribe to the latest industry news, threats and resources.

Category: Adversary Intelligence

Industry: Government


Country: India


C: Fairly reliable; 

3: Possibly True

Executive Summary


  • Source code of Indian government website shared for free.
  • In a follow-up post, SQL injection was used to obtain 10K records from a vulnerable API endpoint and shared for free by the TA.


  • Sample dataset can lead to full account takeover.
  • Source code could give attackers to understand the website logic for well-crafted cyber attacks.
  • It would equip malicious actors with details required to exfiltrate data and maintain persistence.


  • Patch vulnerable and exploitable endpoints. 
  • Monitor cybercrime forums for the latest tactics employed by threat actors. 

Analysis and Attribution

Information from the Post

On 02 August 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor (TA) sharing the source code of iRAD (Integrated Road Accident Database) - which is an initiative of the Ministry of Road Transport and Highways (MoRTH), Government of India and is funded by World Bank, with an objective to improve road safety in the country - on an underground cybercrime forum.

Source Code Analysis

Our source was able to obtain the source code, totaling 165 MB in size. Most of the code is written in PHP.

We have found several sensitive assets embedded in the code. The code contained hostnames, database names, and passwords. The usernames and passwords used in the source code were quite simple and could be prone to brute-force attacks with local access to the server.

Simple passwords to the servers

We observed that the source code includes references to, a NIC SMS Gateway that enables government departments to integrate and send citizen-centric SMS to Indian nationals. Additionally, the URL embedded in the source code includes fields for username and password, which, if misused, might inadvertently grant unauthorized individuals the ability to send messages to recipients.

NIC SMS service with embedded username and password

Follow-up Post by Threat Actor

On 07 August 2023, the same threat actor made another post sharing a sample dataset of the 10K users of the website. The post also mentions that SQL injection was used to obtain the data from the vulnerable API endpoint which at the time of writing the report is still accessible.

Advertisement for 10K citizen data with sensitive data

Sample dataset

Data Analysis

  • As per the advertisement claims, the sample dataset contains a list of 10,000 user records with sensitive user information.
  • The header contains id, office_id, name, email, regno, active, mobile, ps_code, remarks, password, username, createdby, dept_code, role_code, state_code, designation, created_date, old_password, password_enc, district_code, email_verified, mobile_verified.
  • Our source could verify some of the mobile numbers and the names mentioned in the sample dataset against Truecaller and they matched.
  • The sample data also contains government officials' email IDs and clear text passwords.

Email IDs

Number of Entries


98 (likely users IDs)




Threat Actor Activity and Rating

Threat Actor Profiling

Active since

02 August 2023

Current Status


Point of Contact



C3 (C: Fairly reliable; 4: Possibly True) 

Impact & Mitigation

What is the Impact of this Data leak?

  • The leaked information could be used to gain initial access to the website’s infrastructure.
  • If the leaked passwords are not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • It would equip malicious actors with the details required to exfiltrate data, and maintain persistence.

How can you Mitigate?

  • Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Patch vulnerable and exploitable endpoints. 
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets. 


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations