The recently launched drive by the Congress party to induct a whopping 5 lakhs ‘social media warriors’ to support the party has turned out to be an exercised marred with massive security loopholes. The Congress IT cell seems to have slipped even in employing basic IT security systems in place for this initiative.
A special website made by the Congress party to solicit applications and interest for joining this online army has now potentially turned into a publicly available database of Congress supporters with their names, phone numbers, addresses, emails, social media profiles and some other personal details leaked online. The online drive can soon turn into an online scam.
The website was launched with a video message by Congress President Rahul Gandhi on February 8, 2021, asking people to join the drive, by submitting their personal details. Many did so, but little did they know that they could be at risk due to loopholes in the entire process. The security loopholes have continued since then i.e. for at least 5 days since its launch.
The aforementioned website, available at the URL incsmw.in, used an online application form to collect information like names, addresses, phone numbers, email ids, social media profiles, education details, number of hours a person is willing to work daily for the Congress party, and many other such details.
This data collected by the Congress party was supposed to be safe with the party and its IT cell and for their internal use, but now it’s virtually out in open thanks to bad security protocols employed by the party while creating this website.
This loophole was exposed by Twitter user @rsgovin who put out a detailed thread about the website vulnerabilities this morning (February 13, 2021). The user masked the identifiable personal details of people wanting to become Congress’ social media warriors so that they are not misused or the Congress supporters are not harassed.
Following is the screenshot of all applicants who applied to become part of this Congress initiative in Bihar. The identifiable personal details have been masked by @rsgovin and put online to prove how the website of Congress is indeed leaking personal data.
Not just Bihar, the data of Congress supporters wanting to become the social media warriors of the party in any state or union territory can be downloaded in Microsoft Excel format by running a few php queries by anyone. A person wanting to extract such data doesn’t even need to have administrative access to the website. This is a major security flaw and has exposed personal details of thousands of Congress supporters.
“In this manner, the personal data of all the users registered on their website is at risk. The data can be downloaded by anyone, by simply tweaking a few queries on their website!” Twitter user @rsgovin revealed in a thread. @rsgovin further checked if the submitted details by some users like their Voter ID are genuine, and he found so.
What next?— RS (@rsgovin) February 13, 2021
Their database also exposes many Congi IT Cell Members’ sensitive details like Mobile Numbers, Passwords, VoterID details, etc.
They’ve the passwords stored in plain-text!🤦♂️
I tested the validity of a VoterID on ECI portal, and were found valid.
Check screens. pic.twitter.com/hCyqIHzAyy
Basically many Congress supporters trusted the party in good faith to keep their personal details safe, but the party clearly failed to do so.
In fact, @rsgovin demonstrated that he could log into the administrator area too of the website launched by Congress, so much weak are the security protocols employed at the website to build an ‘online army’ for the Congress party and Rahul Gandhi.
While sensitive data like physical address and phone numbers not being kept safe is itself shocking, the website launched by the Congress party has been found to be not employing even the simplest security step like not storing passwords in plain text format. This further puts the registered Congress volunteers at risk because this could mean that their social media accounts could also be hacked if they are using same or similar passwords there.
OpIndia tried to verify the claims of @rsgovin and we found that the security loopholes definitely existed at the time of filing this report and the Congress party had not fixed it yet despite @rsgovin tagging them on Twitter and bringing this vulnerability to their notice.
I appeal to @INCIndia to get their website, which currently leaks people’s sensitive/private data, fixed; and not to blindly back some wannabe ‘hacker’ who shows raw GET/POST data & claims it to be an ‘expose’!🤦♂️😅— RS (@rsgovin) February 13, 2021
In these five days, thousands have registered on the website as claimed by the Congress party, and that means thousands of people are now at risk of being targeted either by hackers or marketers who will have access to their personal data. All because they trusted the Congress party to keep their data safe.