Full Report
Open API leaked everything an attacker needs to impersonate bank officials
Analysis Summary
# Incident Report: Exposure of India’s .bank.in Domain Registry API
## Executive Summary
A critical vulnerability was discovered in the IDRBT Domain Registration Portal, the exclusive registrar for India’s mandated `.bank.in` ecosystem. An unauthenticated REST API leaked sensitive credentials and personal data of over 5,500 banking officials responsible for domain management. This exposure potentially compromised the integrity of India’s entire banking DNS infrastructure, enabling high-level impersonation and phishing attacks.
## Incident Details
- **Discovery Date:** Early June 2026
- **Incident Date:** 13-month period ending June 2026
- **Affected Organization:** Institute for Development and Research in Banking Technology (IDRBT)
- **Sector:** Financial Infrastructure / Government
- **Geography:** India
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately May 2025 (Portal launch)
- **Vector:** Broken Object Level Authorization (BOLA) / Unauthenticated API Endpoints
- **Details:** The registration portal went live with 33+ REST API endpoints accessible without any authentication.
### Lateral Movement
- **Details:** While the breach occurred at the registrar level, the leaked data (bcrypt hashes and PII) provided a roadmap for attackers to move laterally into individual bank administrative accounts.
### Data Exfiltration/Impact
- **Details:** Data for 5,576 bank employees was accessible, including:
- bcrypt password hashes
- Mobile phone numbers and email addresses
- Login IP addresses and device fingerprints
- Metadata revealing hosting locations (US, Singapore, Lithuania) and lack of security protocols (DNSSEC/DMARC).
### Detection & Response
- **How it was discovered:** Identified by security researcher "Srikanth L" of CashlessConsumer during an audit of the `.bank.in` namespace.
- **Response actions taken:** Researcher disclosed findings to IDRBT; the registrar subsequently patched the unauthenticated endpoints.
## Attack Methodology
- **Initial Access:** Exploitation of unauthenticated REST API endpoints.
- **Persistence:** Not applicable for the registry leak itself, but leaked credentials could allow long-term persistence in bank domain management.
- **Privilege Escalation:** Attacker could elevate from a "nobody" on the web to an "administrator" of a bank's domain registry by cracking leaked bcrypt hashes.
- **Defense Evasion:** The lack of authentication meant no "unauthorized" alerts were triggered during data retrieval via simple `curl` commands.
- **Credential Access:** Direct theft of password hashes and login metadata via API.
- **Discovery:** Automated reconnaissance of the `registrar.idrbt.ac[.]in` subdomains.
- **Collection:** Bulk data scraping of all registered bank official profiles.
- **Impact:** Potential for DNS hijacking, authorized phishing, and man-in-the-middle attacks.
## Impact Assessment
- **Financial:** High potential risk; costs related to credential resetting for thousands of officials and potential fraud losses.
- **Data Breach:** Over 5,500 high-value targets (banking staff) had their PII and credentials exposed.
- **Operational:** Critical vulnerability in the infrastructure meant to *protect* the banking sector.
- **Reputational:** Severe; the mandated security move by the Reserve Bank of India (RBI) was undermined by the chosen registrar’s poor security posture.
## Indicators of Compromise
- **Network indicators:**
- Requests to `registrar.idrbt.ac[.]in/api/*` without Authorization headers.
- Extensive `curl` or automated traffic from non-banking IP ranges to the API.
- **Behavioral indicators:**
- Multiple login attempts from high-risk or unexpected geographies (e.g., Lithuania, Singapore) for `.bank.in` management.
## Response Actions
- **Containment:** Closed unauthenticated API endpoints.
- **Eradication:** Rotation of credentials for all affected bank employees (recommended).
- **Recovery:** Implementation of mandatory security audits for the registration portal.
## Lessons Learned
- **The "Single Point of Failure":** Centralizing all bank domain registrations into one agency created a "honey pot" for attackers.
- **Governance Failure:** The portal reportedly went live without a basic security audit.
- **Security Misalignment:** A project designed to enhance trust (.bank.in) ultimately eroded it due to poor implementation.
## Recommendations
- **Mandatory Audits:** Perform third-party penetration testing and API security audits before any critical infrastructure goes live.
- **Implement Multi-Factor Authentication (MFA):** Ensure domain management portals require MFA, rendering leaked password hashes less useful.
- **Security Protocol Enforcement:** Mandate DNSSEC and DMARC for all `.bank.in` domains to ensure the namespace truly provides the security it promises.
- **API Security Gateway:** Use an API gateway to enforce authentication and rate-limiting on all backend services.