The “Narendra Modi” app had a vulnerability that compromised the private info of 7 million users who had registered on it.

Before we proceed with this article we would like to explain the meaning of “Hack” to our media who for reasons best known to them have been calling this incident as a “Non hack”

Hack

Gain unauthorized access to data in a system or computer

Yes, if any random individual is able to enter your system and is able to gather / access data it is called a hack.

It must come as no surprise to many of you that the article published by YourStory was taken down. Not only was it taken down but they even issued an explanation for the same.
The 22 year old app developer has also given a statement to take down the screenshot that he provided to them.

We were able to successfully replicate the man-in-the middle attack within a few hours of the YourStory post. It remains to be seen if anyone else dumped the data of all users since the information was being communicated without encryption. We have gotten rid of any kind of  sensitive information including screenshots since uploading any would be a privacy breach on its own. There have been other security researches who have successfully replicated it. The vulnerability has since been fixed and one can no longer access the private info at the time of writing of this article.

The manner in which YourStory & name removed have reacted since the take down is suspicious but it can only remain a mere speculation if they were forced to act so.

The Individual who contacted YourStory has since requested all media houses to remove any attributions to him. Infact, FirstPost like many other media outlets ended up deleting the post soon after YourStory did.

What made us worry is the statement provided by YourStory and Amit Malviya, National Convener – Information & Technology for BJP.
Lets begin with the explanation YourStory came up with to remove the article:

“the article did not cover the other point of view, that is, of the app maker, as we could not reach the relevant person..”

Yes, we agree the other point of view is needed but the sane thing to do would be to update the original article to reflect the same since by the time the explanation was given there was a temporary fix to stop others from accessing user data.

Coming to the explanation given by Mr. Malviya, we really cannot contemplate how a person who starts by saying “most of the data that is shared on the App is, anyway, in the public domain” is going to really care about your privacy.

Here is the full text to be fair:

We have come across a report about ‘Narendra Modi Mobile App’ in which a possibility to access user data has been mentioned.

“We would like to state that most of the data that is shared on the App
is, anyway, in the public domain, for instance, comments posted by individual users, various posts, the groups and following list of every user, can be seen by anyone who is using the App. The App doesn’t capture any private or sensitive data. App user’s information is stored in an encrypted mode.
We take data security very seriously, and adequate measures are in place to avoid any possible security breach or threat.
We would like to thank
Mr. Javed Khatri for acknowledging that the developers have focussed a lot on security. We have since had a constructive engagement and discussed various security measures to further enhance the security features of the App.
Our digital assets are put through routine security audits and are in compliance with extant standards. In fact, we encourage anyone who has any suggestions or inputs on how we can improve the overall experience on the App is welcome to write to us through the feedback section in the App.”

We don’t understand how one can compare comments, posts and groups to private info like DoB, phone number & education. The first step to solving a problem would be to acknowledge it.
A 22 year old person was able to get the private info of a current minister and had easy access to private info of 7 million users and then comes a claim that adequate measures are in place. Seriously? Where were the measures? What if the data was dumped with criminal intent by someone else?

Techzei has come across criminals selling data of Indians (dumped from a stock based website) on the darknet for under 1 USD
We are currently keeping an eye on the darknet to see if anyone selling the user data from the “Narendra Modi” app surfaces.

The Indian laws do hold the app creators responsible and they could face charges if a user sues them but this remains highly unlikely since it is more of a fan app.

We have reached out to the owner of YourStory via twitter and will also email the editors for their view of the story and will update this post with their side of the story.

For all queries in relation to his post please contact Techzei’s New York office via the contact us page. 

Leave a Reply

Your email address will not be published.