India’s federal election commission has fixed flaws on its website that exposed data related to citizens’ requests for information related to their voting eligibility status, local political candidates and parties, and technical details about electronic voting machines. India is heading for its next general elections, expected between April and May, to elect the members of its parliament’s lower house who will form the new government.
The Election Commission of India fixed the bugs in its Right to Information (RTI) portal, which allows citizens to request access to records of constitutional authorities, as well as state and central government institutions and private organizations receiving substantial funds from the Indian government.
The bugs allowed access to the RTI requests, download transaction receipts, and responses shared by the officials without properly authenticating user logins.
Some of the exposed data included the RTI filing date, the questions asked, the applicant’s name and mailing address, the applicant’s poverty line status, and RTI responses.
Security researcher Karan Saini found the bugs in February and asked TC to help disclose them to the authorities after the Election Commission, the Indian Computer Emergency Response Team (CERT-In), and the National Critical Information Infrastructure Protection Center did not initially respond to his requests to fix them. The bugs were fixed earlier this week following CERT-In’s intervention.
“CERT-In has been coordinating the issue with the concerned authority. Recently, CERT-In has been informed by the concerned authority that the reported vulnerability has been fixed,” the Indian cybersecurity agency said in an email to TC on Tuesday.
The agency also confirmed the fix to the researcher.
Even though the RTI applications and responses are not confidential by Indian law, a judgment (PDF) by the Kolkata High Court in 2014 ordered authorities taking RTI applicants’ personal data “to hide such information and particularly from their website so that people at large would not know of the details.”
By default, the Election Commission’s RTI portal does not provide access to individual RTI applications and responses without logging in, which means external access to the data and its ability to be scraped — because it is accessible without a login — made the flaws a privacy issue.
The Election Commission of India did not respond to a request for comment.