How I Could Leak Personal Phone Numbers of All Registered Indian Voters
Can result in large-scale election-related scams in India.
It’s just two days until the elections in your hometown.
You’re coming back from work in your car. There’s a red light up ahead, so you’re scrolling through your phone. Tired of all the promotional “vote for us” videos on YouTube, you check Twitter instead.
You’re happily scrolling through when you receive a message from the government (one of those credible IDs like “HPGOVT” or “ECISMS”) stating your voter ID with the message that your polling station for the upcoming elections has been changed to a neighbouring locality.
It’s surprising but not unexpected. You make a mental note and continue scrolling until the lights turn green, and you can go back home.
Fast forward two days. It’s 11 AM, and the sun is at its harshest. You’ve been standing in the queue for forty-five minutes and are already at the end of your patience. Finally, it’s your turn, and you step inside. The polling officer looks at your Voter ID card, goes through the list of voters registered in this station, and gives you a weird look.
“Your name is not on the list,” they say. And then, with a dismissive nod, beckon the next person in the queue to come forward.
You’re shocked. Being the responsible citizen, you’d waited so long in the pre-noon sunlight only to be told you can’t vote. Surely, there must be a mistake, you tell the polling officer. You got a message a few days ago saying your vote has been shifted to this new polling station.
But it’s a busy day. There are hundreds of people waiting after you in the queue to vote. No one has the time or patience to entertain your protests.
Defeated, you walk out, wiping the sweat from your brow.
The country and its government are going nowhere, you think to yourself. Even responsible citizens like yourself who want to vote can’t do so because of bureaucratic incompetency. You know you can go to your original polling station to check if your name is there on the list, but it’s almost 12 PM now. The queue there would be longer. The thought of spending another two hours in the harsh sunlight makes you quiver, and you head back home.
Given how big a country India is and how easy it is to make and ignore mistakes such as this, it doesn’t sound like an implausible scenario, does it?
What if I told you this wasn’t because of some institutional mess-up but a pre-planned, coordinated move by some political organization with ulterior motives to ensure you can’t cast your vote?
That doesn’t make sense, you’d think. You aren’t someone super important that someone will make so much effort to ensure you can’t vote, right?
Wrong.
It’s not just you, but what if they targeted ten thousand other people like you who were inclined to vote for one party?
By canceling all your votes, they made sure a particular political party had ten thousand fewer votes, and the whole elections of the constituency can be manipulated.
Now imagine this on a larger scale, not in thousands, but in crores. I wish this were a fictional situation, but with two hacks I recently stumbled upon, this is very much possible.
The First Loophole
I found a loophole that let me use credible IDs like “HPGOVT” or “ECISMS” and send text messages to every person in the country. More details are here.
This loophole has been patched now, but sending text messages from these IDs is not the only way to manipulate the elections.
If your inclination towards a particular political party is known, you can be the target of such a mass scam if your phone number, voter ID, and other details like family names, etc., are known.
But how can anyone know who you’d vote for?
Easy, based on the statistics of the political, religious, and caste-based breakdown of the population of a particular constituency and the election results of the past, a fair guess can be made.
The Second Loophole
To do the above on such a mass level, you’d need access to the entire electoral roll, which is already public. But the phone numbers are not.
Let’s say there was a way to find the phone numbers and associate them with the voter IDs, such a mass action could easily be taken, and the public could be manipulated, so the result turns out in their favour.
This write-up talks about a vulnerability with such serious implications that I recently found.
How can we get personal phone numbers?
Step one: Go to e-EPIC (Elector Photo Identity Card) Download at the National Voters’ Services Portal.
Next, you will be prompted to log in
Oh, there’s a captcha? Nice!
Step two: Once you log in, you must provide your EPIC no and select your state. After that, you can see your Name, Father’s Name, State, Constituency, Mobile No, and Email ID.
As you can see, my Mobile Number and Email ID are redacted. Which is how it is supposed to be.
Now, what is the issue here you ask?
When you click on the send OTP button, this request is sent to the NVSP servers. This sends an OTP to the user to verify the user before downloading the e-EPIC document.
I redacted some info from the screenshot, like the Cookie and the recordkey parameter.
As you can see, the complete mobile number is displayed in the response. I redacted the mobile number in the screenshot.
How can the system be misused?
As you can see in the second picture, we need two parameters to get someone’s personal phone number.
- EPIC number, and
- State name.
Using these there are three ways the system can be abused.
1. Targeting Specific Individuals
If you do not know a person’s EPIC number, but you know their Father’s Name, Age, State, etc., you can get the EPIC number details from the Electoral search portal.
This is of medium impact as it will take huge amounts of time and effort to target specific individuals to impact on a large scale.
2. Targeting Random Individuals
The EPIC numbers are sequential, but we don’t know which state they belong to. So one can brute force the state ID parameter (28 states +8 Union territories). This way, one ID has to be brute-forced 36 times at max, which is quite doable.
You will end up with Phone numbers, Names, Father/Husband’s Name, EPIC numbers, and State names of random individuals. This data can be used in some other scams if not in Election-related scams.
3. Targeting a particular Constituency
EPIC numbers are on the electoral rolls published by the election commission during elections. This data is publicly available.
Since we already know the EPIC and State names, one can write a script to get the personal phone numbers of everybody in that constituency.
This is, so far, the most dangerous and highly effective way you can abuse this loophole. Huge sections of the country can be targeted in election-related scams this way, potentially rendering crores of individual voices meaningless.
Timeline:
- October 22, 2021 — Sent vulnerability submission to CERT-IN.
No acknowledgement of receiving the vulnerability or reply of any kind - December 7, 2021 — Got a mail that they are in touch with concerned authorities to take action.
- December 14, 2021 — The vulnerability has been patched. (I verified on this date, might have been patched during that week)
- December 15, 2021 — CERT-IN mailed me a confirmation that the vulnerability has been fixed.
On the CERT-IN website, it is mentioned that they will acknowledge the vulnerability within 72 working hours, and it took 46 days for a reply.
Closing Thoughts
What do you think of the scale of the implications of this one? Let me know in the comments or Tweet me @kmskrishna.
