By Indrajeet Bhuyan

Guwahati: On January 11, the Assam government launched an e-wallet, Tokapoisa.in, to enable the people of the northeastern Indian state for hassle-free online transactions in local language.

The e-wallet is a joint venture developed by State’s Assam Electronics Development Corporation Limited ( Amtron ), and ICICI Bank. Soon many news portals covered the news. So as a security researcher I too was curious to see how this platform works.

Since it involves money transaction I was sure that it will be secured one but i was mistaken. The security level of the platform was too poor. Anyone with a little knowledge of hacking could easily bypass its security features and misuse it. Such flaws can be considered if the app is in testing phase but the app was launched and made public which clearly indicates that they failed to recognise such basic flaws during their testing phase !

So here are the flaws :

(I have reported the flaws and it has been fixed today )

Flaw 1 (serious )

Flaw name: Bypass OTP verification while sign in

The best thing about the site is that there is no password verification, user needs to enter their phone number and an OTP is sent to their phone and once they enter the OTP, user can sign in.

Only one level of authentication is used which is OTP. So if an attacker bypass the otp he can have access to anyone’s wallet and misuse it. Once he is inside , he can make payments , steal money etc.
While registering it does not ask the user to verify, which means an attacker can register anyone’s number.

Now let us assume that an user have already created an account ,then an attacker can login to a specific user’s account to make payments on his behalf or steal money etc.

Here is the proof of concept

This was possible because there is no limit set for the number of times an attacker can enter invalid otp due to which an attacker can easily brute force it and get full access to anyone’s account and money.

Flaw 2 (Low Impact)

Flaw name: Directory listing

There was a directory listing flaw in the website by which an attacker can see all the files that are in the directory . this flaw can be used to know about files that are inside the directory even if they are not mentioned anywhere in the site. So it gives a good idea about all the files that are hosted in the directory.

Flaw 3 (Medium)

There are no SSl certificates in the site. The site deals with money and transaction and yet it runs on http and not https. SSL Certificates provide secure, encrypted communications between a website and an internet browser. SSL stands for Secure Sockets Layer, the protocol which provides the encryption.

SSL certificates are typically installed on pages that require end-users to submit sensitive information over the internet like credit card details or passwords. But here in tokapoisa site there is no SSL which means that the connection is not secured and is unencrypted and anyone can perform a man in the middle attack and get sensitive information from it. This is the first website i have seen which deals with money and don’t have a SSL certificate.

Miscellaneous

Tokapoisa has launched an Android app which is not exactly an app because it is just a web viewer which displays the site. There is nothing special in the android app. When you open the app it just shows you the webpage that’s all, which means anyone can create the exact same app.

This can be dangerous because they have not yet launched it in any app store so if an attacker creates an app which displays the website inside the app no one can differentiate it with the original one and the attacker can take this advantage and add malicious codes in his version.

When I found the flaw I first prepared a report on it and mailed it to the email ID that was provided in the tokapoisa website ( appsupport@amtron.in ) but the delivery failed as they have not configured the mail service.

Then I mailed it to the general manager of Amtron ( sanjib.sarmah@amtron.in ) , Also i mailed it to the email id provided in the contact section of Amrton’s website. I got these mail IDs from Amtron’s website. But the delivery failed in that too as they have not configured it too.

Since all the above mentioned flaws were very serious so I wanted them to fix it as soon as possible because if it goes to the wrong hands then they might misuse it. So I went to special Branch of Police and thanks to them that they organized a meeting with the developer of the platform.

Indrajit Bhuyan
I demonstrated the flaws to them and it got fixed today itself.

Since the platform is all about money and transaction so security should be the first priority of the developers. I understand that the app is new and it can have flaws but the app is made public already which means 30.94 million (population of Assam, 2012) could be at risk.

So I did my bit to secure the platform. Hope it benefits the people of Assam.

(Indrajeet Bhyan is a second year B.Tech student at Assam Don Bosco University.)