I think the author went way over the line here and should probably retract ASAP for his own well being.
> You would likely believe it, given the sender ID, wouldn’t you?
No. I absolutely don't believe anyone unknown calling me, no matter who he claims to be, or what the CLIP says, unless I can call back to a public number of the institution he claims to represent. CLIP just isn't secure.
I choose to risk believing for non-essential things, because security is just not convenient. But banks, government, anything where there's well reported fraud going on regularly,... no way.
Calling back is also good, because outgoing calls are automatically recorded by my operator and sent to my email, so if I'm to enter into any agreement, it's better to do it on an outgoing call.
> Essentially, anyone can’t send arbitrary messages using the above-mentioned loophole anymore. TRAI’s new system fixed that loophole. > One can still send any message that fits in the template. But this largely restricts the possibilities of scams and misuse.
Seems to be fixed and that it was fixed during the time he did _nothing_ and just waited. Perhaps there was a responsible disclosure but he didn't said how he did it.
Brave post - the government has jailed people for far less
It appears that he got the credentials from github, and this was critical for his exploit to work.
The Indian Government should have asked Github for their "Secret Scanning" service (https://docs.github.com/en/code-security/secret-security/abo...).
That would have prevented the author just randomly stumbling on the credentials.
>These Sender IDs are reserved by companies and government organisations. Receiving a message from these Sender IDs is meant to be authentic.
No, it's not. Caller ID is not authenticated and shouldn't be depended for anything sensitive.
Archive link, in case there is a takedown: https://archive.is/iKzjh
Shared secret authentication is pretty much always a bad idea. I'm continually shocked people still use it.
You don't need to hack their website to do this. SMS spoofing has been possible for decades and still is.
He should use this to tell everybody in India to stay hime, wear masks and stop going to mass worship ceremonies that are causing this devastating covid spike.
meh. i tried to use it, i got the credentials alright but seems my POST skills with jsfiddle are ancient now, couldnt get it up and running.
I like that in the middle of that, a wild "block-chain" appeared. Congrats to whichever consulting company managed to sell that bullshit to the government.