Mumbai : 22-year-old hacker from Mumbai hacks Narendra Modi app, exposes threat to 7 million user data. In the wee hours of December 1, 2016, we got an email from Javed Khatri, who claims to have hacked the Narendra Modi app reported on reddit.com
Javed Khatri claims his intention is to help developers about the vulnerability in NaMo app which can be easily compromised.
@narendramodi_in I have found a security issue in Narendra Modi’s app. Would like to report the issue.
— Javed Khatri (@IamJavedKhatri) December 1, 2016
He says while talking to YourStory, The intention behind the expose is to focus on the security of the app, not to cause any damage.
Yesterday David Phatti sent an email to ‘You Story’ who claims to have hacked the Narendra Modi app.
The email read:
“I am able to access private data of any user on the app. The data includes phone number, email, name, location, interests, last seen etc. I successfully managed to extract the personal phone numbers and email ids of ministers like Smriti Irani (screenshot at the end of the article). Please find attached the screenshot.
Not only that, I can make any user on the platform follow any other user on the platform. This is just the summary of this huge security loophole which I want to report. The privacy of more than seven million users is at stake if this gets ignored.”
Here are the excerpts from an exclusive chat with Javed.
YourStory: Would you want to come on record were we to report this?
JK: Yes, I would like to come on record as my intentions are clear. As I said, I don’t want to cause any damage. I just want them to pay attention to the security of the app and the privacy of the users.
YS: What work have you been doing?
JK: I run a mobile app development company called Applab here in Mumbai. I am a mobile app developer and a designer who loves building innovative products. In my free time, I like to research on security loopholes in various apps and websites. I have cracked a lot of apps and websites but I can’t disclose all of them.
YS: Was it very easy to hack the app? What are your thoughts on the security standards?
JK: It was not that difficult to hack the app. It took me around 15-20 minutes to get the entire access. Although the developers have focused a lot on security, they have left certain loopholes.
YS: Can you show us more proof that the extracted data is from the app we’re speaking of?
JK: Yes, I can show. For this, I would require you to sign up on the app with your name and once you sign up I can extract your personal details without your permission. Also, I have attached another screenshot with the URL which belongs to the app.
In this screenshot, you can see the personal data of Dr. Jitendra Singh, Minister of State for the Ministry of Development of North Eastern Region, Prime Minister Office, which you can’t access via the app.
Vulnerable script in app which can be exploited and compromised according to Javed
YS: What is your suggestions/advice to the developer of the app?
JK: Most of the developers don’t do a thorough security testing (penetration testing) before releasing their apps. From my experience, I can say more than 90 percent of the apps are hackable. The code inside the app is not properly obfuscated. Secret keys and API access keys can be easily extracted by reverse engineering. I would only advise them to come up with more secure user authentication mechanism.
To test Javed’s claims, we signed up on the app to verify his claims. And as it turns out, Javed could fish out the details!
This is a serious privacy issue and should be sorted out as soon as possible. The reason we are carrying the article is because we take security and privacy issues seriously! We hope that the government takes notice and plugs the security loopholes immediately.
*This story was later removed from their website*
There is no official confirmation released by the government yet, but it is a matter of great concern. On 20th Oct 2016, 32,00,000 SBI, HDFC Bank, ICICI, YES Bank and Axis debit cards were compromised.
Of the cards, 2.6 million was said to be on the Visa and Master-Card platform and 600,000 on the RuPay platform. The worst-hit of the card-issuing banks were State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank.
On 7th November 2016, seven Indian High Commission websites were hacked, publishing online the login details, passwords and database containing names, passport numbers, email-IDs and phone numbers of people of Indian origin.
Prime Minister Narendra Modi is trying to make cashless economy in India, ignoring the fact that it will bring lots of cyber dangers and threats for the users.