Vulnerability reported on CDSL Ventures website; resolved now: MoS Finance

A vulnerability was reported on the CDSL Ventures website that showed the possibility of getting access to the details of another user by changing the reference ID of the user, Minister of State for Finance Pankaj Chaudhary informed the Lok Sabha on Monday.


PTI | New Delhi | Updated: 29-11-2021 17:18 IST | Created: 29-11-2021 17:18 IST
Vulnerability reported on CDSL Ventures website; resolved now: MoS Finance
  • Country:
  • India

A vulnerability was reported on the CDSL Ventures website that showed the possibility of getting access to the details of another user by changing the reference ID of the user, Minister of State for Finance Pankaj Chaudhary informed the Lok Sabha on Monday. The minister said that the vulnerability has been closed now. ''There has been no reported authorization vulnerability in any of the application programming interfaces (APIs) and/or website of Central Depository Services Ltd (CDSL). However, a vulnerability in the website of CDSL Ventures Limited (CVL), which is a subsidiary of CDSL and registered as KYC Registration Agency (KRA) with SEBI, was reported,'' Chaudhary said in a written reply.

He was responding to questions by Lok Sabha MP Manish Tewari on vulnerability in the system.

A cyber security firm CyberX9 had reported that a vulnerability in the CDSL Ventures Limited (CVL) has exposed personal and financial data of over 4 crore Indian investors twice in 10 days.

Chaudhary said the National Critical Information Infrastructure Protection Centre (NCIIPC) reported on October 20 that the web portal of CVL is vulnerable to insecure direct object references.

The vulnerability was observed on the login page of CVL showing a possibility of getting access to the details of another user by changing the reference ID of the user, the minister said. ''The issue pertains to a specific page in the CVL website and is not related to any APIs. The vulnerability was mitigated by CVL on October 26, 2021, with a quick fix by encrypting the reference ID, which was getting passed as a clear text,'' Chaudhary said. A second vulnerability alert was received by CVL on October 31, and since development was already underway at CVL for a permanent fix, the vulnerability was mitigated on the same day and confirmed to Indian Computer Emergency Response Team (CERT-In), he added.

''A forensic audit was also conducted as directed by the Securities and Exchange Board of India (SEBI). The external auditor of CVL also checked and certified that the reported vulnerability has been closed,'' Chaudhary said.

(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)

Give Feedback