Data Leak at Indian Bank Domain Registrar Exposes Sensitive Employee Information

The Reserve Bank of India's initiative to enhance online banking security with the .bank.in subdomain has been compromised by a significant data leak. The Institute for Development and Research in Banking Technology (IDRBT), the designated registrar, allegedly exposed sensitive information of 5,576 bank employees due to inadequate security measures on its Domain Registration Portal. A security researcher, Srikanth L, reported that the portal had over 33 unauthenticated API endpoints, allowing unauthorized access to bcrypt password hashes, mobile numbers, email addresses, and device fingerprints. Many .bank.in domains lack essential security protocols like DNSSEC and DMARC, and some are hosted on shared servers abroad. The portal operated with these vulnerabilities for 13 months without a proper security audit. Although IDRBT has reportedly addressed the vulnerabilities, the initial exposure could facilitate phishing and DNS spoofing attacks, undermining the RBI's efforts to combat fraud.

Key Points: • IDRBT's portal exposed sensitive data of 5,576 bank employees due to security flaws. • The portal had over 33 unauthenticated API endpoints allowing unauthorized access. • Many .bank.in domains lack critical security protocols like DNSSEC and DMARC.