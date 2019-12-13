Adani Power Limited, one of the largest service providers in India’s power circuit, was spotted to have hosted a flaw in one of its public URLs, which could have allowed anyone to access sensitive information of any of Adani’s over 3.2 million users across India (data as of September 2019). The flaw, which was spotted by Dhiraj Mishra on November 9, 2019 and subsequently reported to the company, has been duly patched on December 11, and the respective URL is no longer vulnerable to it.

The flaw in question was an instance of Insecure Direct Object Reference (IDOR). In simple terms, an IDOR flaw provides access to information without any authentication process in between. As a result, any user with malicious intent accessing the flawed URL could have simply applied brute force to key in multiple customer account numbers, which in turn would have revealed sensitive details such as residential address, phone number, meter number and so on.

With such details, any third party service could have targeted users via scam messages and phone calls, commonly known as ‘vishing’. Using this technique, scammers could have impersonated the original company by furbishing actual user details, thereby tricking them into revealing critical financial information. As a nature of this flaw, any of the 3.2 million users of Adani Power’s service could have been vulnerable to being exposed to ‘vishing’, spam messages and any other side effects.

Such forms of attacks are not only common, but are also in line with how most financial scams take place. Since learning of the flaw, News18 has independently verified that the Adani Power URL in question is no longer vulnerable to being accessed by anyone, without authorisation. News18 has also reached out independently to Adani Power for details on whether it has any knowledge of information being exposed or misused through this flaw, and whether it has informed its users regarding this.

The story will be updated once an official response is received from Adani Power on this matter.

Get the best of News18 delivered to your inbox - subscribe to News18 Daybreak. Follow News18.com on Twitter, Instagram, Facebook, Telegram, TikTok and on YouTube, and stay in the know with what's happening in the world around you – in real time.