Srinivas Kodali writes:
In the wee hours of December 1, 2016, Javed Khatri, a 22-year-old programmer (note: not a hacker) discovered a common security vulnerability/bug in the Narendra Modiapp. Khatri was able to access the personal information of every registered user of the application through this vulnerability.After sending out a tweet (below) to Modi to report the vulnerability, he approached a popular startup media organisation called YourStory to get the news out. YourStory published the vulnerability as an interview with Javed on December 2.
However, the post was brought down by the media house when they realised it is still an ‘open bug’ (recognised by its builders and being worked upon) and issued a clarification later in the night. Firstpost also similarly reported it and took the story down. It was later picked up by other news organisations as well.
Read more on Business Standard. The article provides more details on the vulnerability, but also a discussion of responsible disclosure and the concerning state of infosecurity of government apps in India. He ends his commentary with this clear warning:
It needs to be noted that similar issues in government applications exist at large and receive little or no coverage. When you put college kids in a chair for a hackathon to solve India’s problems, what is it that the government, industry bodies are expecting? Most applications in the name of ‘Smart Cities’ and ‘Digital India’ are being made by students with no background in security and are being pushed onto government officials by unskilled businessmen dressed up as venture capitalists. There is little doubt about where the government-tech industry is going in terms of security: just down.