SQL injection flaw exposed details of 47,000 employees

It’s been a busy weekend for Bharat Sanchar Nigam Limited (BSNL), after the state-owned Indian telecommunications company was alerted to a series of vulnerabilities – including an SQL injection flaw that exposed the personal details of the group’s 47,000 employees.

In a lengthy Twitter thread published yesterday, French security researcher Robert Baptiste – who goes by the Mr Robot-inspired handle, Elliot Alderson – provided a breakdown of the vulnerabilities.

“There was a SQL injection [flaw] in their intranet website,” said Baptiste. “It allows the attacker to dump the [entire] database of the BSNL intranet. It contains the information of 47K+ BSNL employees, senior officers’ information, BNSL administrators information, retired employee details, and more.”

During his investigation, Baptiste also found open directories in numerous BSNL-owned websites, which allowed anyone to access the documents. A bandwidth monitoring system was also found to be publicly accessible.

Providing further headaches to the telco’s sysadmins this weekend, the researcher also discovered that two BSNL intranets had fallen victim to ransomware attacks. “They didn’t even seem to notice,” he stated.

Although Baptiste noted that BSNL was first alerted to the SQLi flaw by a another researcher more than two years ago, he commended the telco for its swift response to his security alert.

News of the vulnerabilities comes less than a year after New Delhi-based BSNL suffered a malware attack that impacted nearly 2,000 broadband users.