Summary
One of the India's leading power supply company named, Adani Power Limited is the power business subsidiary of Indian conglomerate Adani Group. A subdomain was vulnerable to IDOR (Insecure Direct Object Reference) which could allow attackers to view bills of any users across India. The bill include details such as Name, Address, Bill Amount, Unit rate, Pervious bill details etc.
I found this vulnerability while using one of their service.
Vulnerable URL: https://iss.adanielectricity.com/VAS/ProcessDownloadPDF.jsp?TXTCANO=xxxxxxxxx
The parameter `TXTCANO` in the above URL contains 9 random digits which can be predicted, having said that, changing the value of that parameter can allow attackers to view bills of any other users. (Proof Of Concept)!
i.e. Account number and Meter Number using which an attacker could register users account to perform any fraudulent activity.
It was also observed that when you navigate to the registration page and provide the valid "Account Number" and "Meter Number" the MSISDN associate to that account is also disclosed. (Proof Of Concept)!
PS: The registration process sends an OTP to the mapped MSISDN but it was also identified that there is no rate limiting hence performing a brute-force attack would help attackers to find actual OTP or attackers could simply edit MSISDN and insert their own to get OTP.
Hence attacker now have personally identifiable information (PII) of end user i.e. Name, Address, Phone Number and other details in bill. Such information can aid attackers in conducting targeted attacks such as vishing, information gathering via SMS, attempting to steal payment information by impersonating the actual service provider via SMS or telephonic calls.
As per their about page there are 2.9 million users of Adani Electricity.
Timelines: The vulnerability was responsibly reported to Adani Electricity via group[.]csoc[at]adani[.]com on 9th Nov 2019 and was patched without any acknowledgement on 11th December 2019.
One of the India's leading power supply company named, Adani Power Limited is the power business subsidiary of Indian conglomerate Adani Group. A subdomain was vulnerable to IDOR (Insecure Direct Object Reference) which could allow attackers to view bills of any users across India. The bill include details such as Name, Address, Bill Amount, Unit rate, Pervious bill details etc.
I found this vulnerability while using one of their service.
Vulnerable URL: https://iss.adanielectricity.com/VAS/ProcessDownloadPDF.jsp?TXTCANO=xxxxxxxxx
The parameter `TXTCANO` in the above URL contains 9 random digits which can be predicted, having said that, changing the value of that parameter can allow attackers to view bills of any other users. (Proof Of Concept)!
Chaining bugs - (Viewing Bills to Account Takeover)
If the users are not registered under Adani MyAccount. The bill obtained using the above method contains two important detailsi.e. Account number and Meter Number using which an attacker could register users account to perform any fraudulent activity.
It was also observed that when you navigate to the registration page and provide the valid "Account Number" and "Meter Number" the MSISDN associate to that account is also disclosed. (Proof Of Concept)!
PS: The registration process sends an OTP to the mapped MSISDN but it was also identified that there is no rate limiting hence performing a brute-force attack would help attackers to find actual OTP or attackers could simply edit MSISDN and insert their own to get OTP.
Hence attacker now have personally identifiable information (PII) of end user i.e. Name, Address, Phone Number and other details in bill. Such information can aid attackers in conducting targeted attacks such as vishing, information gathering via SMS, attempting to steal payment information by impersonating the actual service provider via SMS or telephonic calls.
As per their about page there are 2.9 million users of Adani Electricity.
Timelines: The vulnerability was responsibly reported to Adani Electricity via group[.]csoc[at]adani[.]com on 9th Nov 2019 and was patched without any acknowledgement on 11th December 2019.