Vulnerability reported on CDSL Ventures website; resolved now: MoS for Finance Pankaj Chaudhary
The minister said that the vulnerability has been closed now.
A vulnerability was reported on the CDSL Ventures website that showed the possibility of getting access to the details of another user by changing the reference ID of the user, Minister of State for Finance Pankaj Chaudhary informed the Lok Sabha on Monday.
WATCH | Click on Zee Business Live TV Streaming Below:
The minister said that the vulnerability has been closed now.
"There has been no reported authorization vulnerability in any of the application programming interfaces (APIs) and/or website of Central Depository Services Ltd (CDSL). However, a vulnerability in the website of CDSL Ventures Limited (CVL), which is a subsidiary of CDSL and registered as KYC Registration Agency (KRA) with SEBI, was reported," Chaudhary said in a written reply.
He was responding to questions by Lok Sabha MP Manish Tewari on vulnerability in the system.
A cyber security firm CyberX9 had reported that a vulnerability in the CDSL Ventures Limited (CVL) has exposed personal and financial data of over 4 crore Indian investors twice in 10 days.
Chaudhary said the National Critical Information Infrastructure Protection Centre (NCIIPC) reported on October 20 that the web portal of CVL is vulnerable to insecure direct object references.
The vulnerability was observed on the login page of CVL showing a possibility of getting access to the details of another user by changing the reference ID of the user, the minister said.
"The issue pertains to a specific page in the CVL website and is not related to any APIs. The vulnerability was mitigated by CVL on October 26, 2021, with a quick fix by encrypting the reference ID, which was getting passed as a clear text," Chaudhary said.
A second vulnerability alert was received by CVL on October 31, and since development was already underway at CVL for a permanent fix, the vulnerability was mitigated on the same day and confirmed to Indian Computer Emergency Response Team (CERT-In), he added.
"A forensic audit was also conducted as directed by the Securities and Exchange Board of India (SEBI). The external auditor of CVL also checked and certified that the reported vulnerability has been closed," Chaudhary said
Get Latest Business News, Stock Market Updates and Videos; Check your tax outgo through Income Tax Calculator and save money through our Personal Finance coverage. Check Business Breaking News Live on Zee Business Twitter and Facebook. Subscribe on YouTube.
RECOMMENDED STORIES
07:49 PM IST