Biggest information breach in the history of Pakistan
In November 2011, Mr. Umar Saif took the charge of chairman PITB (Pakistan Information Technology Board) with a vision that he bring about a digital revolution in Punjab. As a result decades old sensitive government data like Police Record, Land Record and such was digitize. It was a great achievement if it had stopped there. Without thinking through its implications, he started to make this confidential data public along with the bio data of 200 million Pakistani citizens acquired from NADRA through various APIs. Mobile apps and web portals without any proper cybersecurity control were made for govt. officials having direct access to Nadra, Teleco and PITB data. These apps and credentials to the portals got leaked over time and now in the hands of 15 year old kids who are selling it online for 200 rupees per copy. This is an alarming situation for the entire nation. All of their non-renewable data is leaked and in the hands of anti-state and criminal actors.
Objective of this Post
- Identify all leaked datasources
- Current data access state
- Identify how widespread it is by now
- Is it a PITB subsidiary or any other govt. body
- Does it have Nadra data involvement
- Does it have Teleco data involvement
- Samples of the leaked data
- Identify major leaker/dealers
- Screenshots of the conversations made with the sellers
- Their PII including real names, CNIC, mobile phone numbers
- Mode of payment
Recommendations from ‘InfoSec Team’
- NADRA should revoke all the APIs of PITB and any other govt or private body until they get through a comprehensive security assessment
- PITB should take down all of these APIs and portals from the open internet immediately and change all IP addresses, API endpoints
- PITB should hire a proper security professionals team and get a comprehensive security assessment of all of their apps and datacenter for any potential backdoors and vulnerabilities
- Supreme court of Pakistan must launch an inquiry into this matter to find out the real culprit behind this massive data leak. It should be found out who was responsible for ensuring the security of these apps and APIs
Leaked Data Info
[sociallocker]
# | Leaked data sources | Features/Data items | How current? | Current state | Data format | App URL / Upload link | PITB? | NADRA? | Telco? |
1 | Pakistan vs World XI mobile app | Cnic info , renter info and other | Latest, 2018 | Down | Mobile app with Punjab Job Portal Api | Punjab job portal | Yes | Yes | Yes |
2 | Agriloan portal
(Farmer database) |
Pic + CNIC details of any person | Latest, 2018 | Down | Online portal access | http://agriloan.punjab.gov.pk/user/login | Yes | Yes | No |
3 | CDR data | SMS & Call record of any mobile number | Last 3 months | Working | Online portal access (TELCO CRM ) | Various people have CRM access via VPN of all telcos | N/A | No | Yes |
4 | Teleco dump | MDB databases containing registered mobile users per telecom operator | 2004-17 | Still valid | VM, MS Access, SQL Databases | [See links section] | No | No | No |
5 | Police toolkit | Criminal History, Renters record | Latest, 2018 | Down | Punjabpolice.gov.pk Mobile App | .apk being distributed on facebook and whatsapp groups | Yes | Yes | Yes |
6 | Person Tracker | Mobile phone tracking, Geo coordinates | N/A | Working | Pakdata.ml application | https://play.google.com/store/apps/details?id=com.database.persontracker.lite&hl=en | Yes | Yes | Yes |
7 | Nadra Family Tree | Full B form details including family bio data | Latest, 2018 | Not sure | Images of the files | Hidden / facebook sellers have it | N/A | Yes | No |
[/sociallocker]
Supporting Evidence
CNIC details extracted from World Cup app
A vulnerable Android app made by PITB for police during PAK vs World XI cricket match in Lahore, gives info on hotel check-ins and criminal record
CNIC details extracted from farmer portal (agriloan login)
Sample data extracted from the live systems of NADRA’s API exposed by PITB in one of its public portal, ‘Agriloan’
CDR data evidence
While this seems unrelated to the PITB leak incident, people have VPN access to CRM of multiple telcos
CDR (Call data records) of upto last 3 months can be purchased for RS 2000 per number
Offline database dumps of Telecom data
Archives contain different telecom databases which contains accurate bio data up to 2016
People have made desktop applications connected with these offline databases and selling them openly
Database sample of a customer PII from a telecom company leak through their APIs exposed to PITB apps
Police Toolkit leaking bio, driving license, criminal record, vehicle ownership data
Another PITB vulnerable web & mobile app for police investigation that is being abused by sharing the credentials and APK files among the police officials
Person Tracker App linked with PakData.ml/cf
Another criminal group has extracted PITB APIs and dumped the data and connected it with their apps available on the playstore
Traffic police license record & Tenant Rentee Record
PITB apps expose complete access to the traffic police driving license and citizen’s tenant record
API Map of the leaked mobile apps
Apps | Endpoint Names , IPs, APIs |
Pak vs World XI mobile | ● http://103.226.217.198:81/citizenverfication/api/citizen/biometricdevice [IP belongs to PITB]
● https://www.bioverisys.punjab.gov.pk/api ● http://103.226.217.198:81/citizenverfication/api/citizen/biometricdevice/citizen_profiling/cro_images [IP belongs to PITB] ● https://www.bioverisys.punjab.gov.pk/api/finger_verification ● API Key : “wordlxisa13a3c4ade82b21f9eca5a6402a0” |
PoliceKIT | ● https://toolkit.punjabpolice.gov.pk/api_beta_1
● https://toolkit.punjabpolice.gov.pk/api_beta_1/citizen_profiling/cp ● https://toolkit.punjabpolice.gov.pk/api_beta_1/vehicles/searchexcise/?cnic=%s&engine_number=%s&chasis_number=%s®_number=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/fir_detail/index ● https://toolkit.punjabpolice.gov.pk/api_beta_1/guarantor/index ● https://toolkit.punjabpolice.gov.pk/api_beta_1/citizen_profiling/cro_images ● https://toolkit.punjabpolice.gov.pk/api_beta_1/licence/licenseinfo/?cnic=%s&mobile_number=%s&user_id=%s&license_number=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/po/index/?cnic=%s&name=%s&father_name=%s&urf=%s&from_offset=%s&to_offset=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/vehicles/searchvehicles/?engine_number=%s&chasis_number=%s®_number=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/mobiles/?cnic=%s&mobile_number=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/mobileCDR/?mobile_number=%s&email=%s&date_from=%s&date_to=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/subscribers/nicDetail/?nic=%s&user_id=%s&version_no=%s ● https://toolkit.punjabpolice.gov.pk/api_beta_1/login/processLogin |
Person_Tracker | ● https://pakdata.ml/
● Developer: m_hanifshah |
Pak vs World XI app Requests
Sample (unprotected) API calls captured from the PITB apps shows the apps are made and hosted in PITB datacenter
Sample (unprotected) API calls captured from the PITB apps shows the apps are made and hosted in PITB datacenter
Sample API call captured from the PITB app, clearly shows the data it returns without any security authentication in place
Open selling of Personal National data
Dozens of secret and public Facebook & WhatsApp groups are operating to sell all kind of secret data leaked from PITB
PITB’s publicly available sensitive portals and admin panels
[sociallocker]
- https://hoteleye.punjab.gov.pk/
- http://mspc.punjab.gov.pk/
- http://eproc.punjab.gov.pk/
- http://mis.ppra.punjab.gov.pk/login/
- http://services.punjab.gov.pk/_login/
- http://roster.punjab.gov.pk/
- https://policereport.punjab.gov.pk/
- http://dashboard.tracking.punjab.gov.pk/
- http://sms.punjab.gov.pk/
- http://mis.hed.punjab.gov.pk/
- http://tracking.dgip.gov.pk/
- http://fars.pitb.gov.pk/admin/
- http://mail.e.pra.punjab.gov.pk/Mondo/lang/sys/login.aspx
- https://cims.punjab.gov.pk/dashboard/login
- http://crolahore.punjabpolice.gov.pk/
- http://crolahore.punjabpolice.gov.pk/login/process_login
- https://ctdfir.punjab.gov.pk/
- http://202.83.173.90/FIR/login
- https://www.pitb.gov.pk/hotel_eye
- https://www.pitb.gov.pk/iasb
- https://www.pitb.gov.pk/sis
- http://fc.punjab.gov.pk/services/
- https://es.punjab.gov.pk/eStampCitizenPortal/ChallanFormView/VerifyStamp
- http://ureport.punjab.gov.pk/
- https://fir.punjabpolice.gov.pk/login
[/sociallocker]PITB has made scores of such critical portals public that are likely to get exploited in the coming days due to no security controls in place
Links & References
- http://agriloan.punjab.gov.pk/user/login
- https://play.google.com/store/apps/details?id=com.database.persontracker.lite&hl=en
- https://web.facebook.com/groups/348405338616564/
- MS Access format Mobilink DB: <Redacted>
- All Network DB (VM): <Redacted>
- MS Access format all telco databases: <Redacted>
- http://spamtools.bid/api_beta_v1/search_social.php?api_key=ae82&api_pass=90&num=
- 153.108.219/phone/index.php
- https://web.facebook.com/groups/1064783326913644/
- https://web.facebook.com/groups/686631538192520
- https://web.facebook.com/groups/591400437689297
- https://web.facebook.com/groups/1278169588886195
NADRA and PITB Hacked ?
NADRA and PITB may deny any claims of NADRA being hacked but when data is fed over APIs with no check and balance it is no less than being Hacked . If your confidential data is sold at $2 , it shows the lack of Cyber Security and untill they do not bring all those who sold data we can only say that NADRA was hacked.
NADRA CNIC Record
NADRA does provide official ways of checking progress of CNIC /Smart Card /NICOP etc and their system is hosted on their own official link : https://id.nadra.gov.pk/verify-id/ , which makes sense but giving out access to third parties without ensuring the credibility of their software and how secure it has been made is nothing but a hazard and needs to be re-hashed. A quick google search of ‘nadra id card search by name‘ revealed many services which were providing such services just like few shared above. Hope digital security and info privacy is ensured by all nations
Er Bilal
Hainnnnnnn
Damn… 😳
Farís Ibn-Haźkiel Altaír Ibn-La’Ahad
Azfar Ali
r.i.p
Ali Hasnain You had one job. 😂
fuckk thier cyber security managements..
[…] PITB Leaks: NADRA Database of 200M User Hacked […]