India’s Federal Election Commission has fixed flaws in its website that exposed data about citizens’ requests for information about their electoral status, local political candidates and parties and technical details about electronic voting machines. India is heading to its next general election, expected between April and May, to elect the members of its lower house of parliament who will form the new government.
The Election Commission of India has fixed the errors in the Right to Information (RTI) portal, which allows citizens to request access to the records of constitutional authorities, as well as state and central government institutions and private organizations that receive significant funds from the Indian government .
The bugs allowed access to RTI requests, download transaction receipts and responses shared by officials without properly verifying user credentials.
Some of the exposed data included the date the RTI was filed, the questions asked, the applicant’s name and postal address, the poverty line status of the applicant and the RTI responses.
Security researcher Karan Saini found the bugs in February and asked TechCrunch to help disclose them to authorities after the Election Commission, India’s Computer Emergency Response Team (CERT-In) and the National Center for Critical Information Infrastructure Protection initially did not respond to the requests for their correction. The bugs were fixed earlier this week after CERT-In intervened.
“CERT-In is coordinating the matter with the relevant authority. Recently, CERT-In was informed by the relevant authority that the reported vulnerability has been patched,” the Indian cyber security agency said in an email to TechCrunch on Tuesday.
The agency also confirmed the fix to the researcher.
Although RTI applications and responses are not confidential under Indian law, a crisis (PDF) by the Calcutta High Court in 2014 ordered the authorities taking the personal data of RTI applicants “to hide such information and particularly from their website so that citizens do not know the details”.
By default, the election commission’s RTI portal does not provide offline access to individual RTI applications and responses, meaning external access to the data and its ability to be hacked — because it is accessible offline — made the flaws a privacy issue.
The Election Commission of India did not respond to a request for comment.
