I could send any text message from Indian government IDs

bellyfullofbac|4 years ago

I like that in the middle of that, a wild "block-chain" appeared. Congrats to whichever consulting company managed to sell that bullshit to the government.

the-dude|4 years ago

I think the author went way over the line here and should probably retract ASAP for his own well being.

pfortuny|4 years ago

You are totally right. Hope he gets this thread and removes that page for ever (at least the details), he runs a serious risk.

megous|4 years ago

> You would likely believe it, given the sender ID, wouldn’t you?

No. I absolutely don't believe anyone unknown calling me, no matter who he claims to be, or what the CLIP says, unless I can call back to a public number of the institution he claims to represent. CLIP just isn't secure.

I choose to risk believing for non-essential things, because security is just not convenient. But banks, government, anything where there's well reported fraud going on regularly,... no way.

Calling back is also good, because outgoing calls are automatically recorded by my operator and sent to my email, so if I'm to enter into any agreement, it's better to do it on an outgoing call.

eta-meson|4 years ago

I absolutely agree with you. I would also do the same. Here I think the author meant not so tech savy normal people.

woliveirajr|4 years ago

> Essentially, anyone can’t send arbitrary messages using the above-mentioned loophole anymore. TRAI’s new system fixed that loophole. > One can still send any message that fits in the template. But this largely restricts the possibilities of scams and misuse.

Seems to be fixed and that it was fixed during the time he did _nothing_ and just waited. Perhaps there was a responsible disclosure but he didn't said how he did it.

canadianfella|4 years ago

*Say

fareesh|4 years ago

Brave post - the government has jailed people for far less

tinus_hn|4 years ago

Brave? Or dumb? Using someone else’s credentials is against the law in most jurisdictions.

yeshok|4 years ago

It appears that he got the credentials from github, and this was critical for his exploit to work.

Aeolun|4 years ago

If he could find 30+ instances before he just gave up I’m not sure if we can count that as a significant barrier.

jeswin|4 years ago

And I hope he disclosed it responsibly.

mschuster91|4 years ago

The Indian Government should have asked Github for their "Secret Scanning" service (https://docs.github.com/en/code-security/secret-security/abo...).

That would have prevented the author just randomly stumbling on the credentials.

garaetjjte|4 years ago

>These Sender IDs are reserved by companies and government organisations. Receiving a message from these Sender IDs is meant to be authentic.

No, it's not. Caller ID is not authenticated and shouldn't be depended for anything sensitive.

jaytaylor|4 years ago

Archive link, in case there is a takedown: https://archive.is/iKzjh

swiley|4 years ago

Shared secret authentication is pretty much always a bad idea. I'm continually shocked people still use it.

asaddhamani|4 years ago

So what is the better option according to you?

privacyking|4 years ago

You don't need to hack their website to do this. SMS spoofing has been possible for decades and still is.

zenexer|4 years ago

SMS works a little differently in India; it’s more difficult to spoof the IDs the author is discussing.

unknown|4 years ago

[deleted]

williesleg|4 years ago

[deleted]

belatw|4 years ago

He should use this to tell everybody in India to stay hime, wear masks and stop going to mass worship ceremonies that are causing this devastating covid spike.

pWFk41mFfie1NOd|4 years ago

[deleted]

BiteCode_dev|4 years ago

41 comments