“No authorization vulnerabilities have been reported in the application programming interfaces (APIs) and / or the Central Depository Services Ltd (CDSL) website. However, a vulnerability in the website of CDSL Ventures Limited (CVL), which is a subsidiary of CDSL and registered as a KYC Registration Agency (KRA) with SEBI, has been reported, “Chaudhary said in a statement. written response.
He was responding to questions from Lok Sabha MP Manish Tewari about the vulnerability of the system.
CyberX9 cybersecurity firm reported that a vulnerability in CDSL Ventures Limited (CVL) exposed the personal and financial data of more than 4 million Indian investors twice in 10 days.
Chaudhary said the National Critical Information Infrastructure Protection Center (NCIIPC) reported on October 20 that CVL’s web portal is vulnerable to direct referrals of insecure objects.
The vulnerability was observed on CVL’s login page showing an ability to access another user’s details by changing the user’s referral ID, the minister said.
“The issue relates to a specific page of the CVL website and is not related to any API. The vulnerability was mitigated by CVL on October 26, 2021, with a quick fix by encrypting the referral ID, which was transmitted as that plain text, ”Chaudhary said.
A second vulnerability alert was received by CVL on October 31 and as development was already underway at CVL for a permanent fix, the vulnerability was mitigated the same day and confirmed to the Indian IT Emergency Response Team. (CERT-In), he added.
“A forensic audit was also conducted in accordance with the instructions of the Securities and Exchange Board of India (SEBI). CVL’s external auditor also verified and certified that the reported vulnerability has been closed,” Chaudhary said.