Security researcher hacks BSNL intranet; leaks details of 47,000 employees

The same vulnerabilities had been exposed two years ago by an IITian; but didn't even get a response from BSNL. Elliot Alderson, a French security researcher, in a series of tweets on Sunday, shared what went wrong with BSNL.

On Sunday, March 4, Elliot Alderson, a security researcher in a series of tweets shared how he hacked BSNL’s (Bharat Sanchar Nigam Limited) website and got hold of details of 47,000 plus employees.

After the glitch was made public, BSNL acknowledged,and fixed the issue. The security researcher then tweeted saying, “First thing first, I want to thank @BSNLCorporate for their cooperation and their reactivity. All the issues below have been disclosed to them privately and fixed during the weekend. I hope they will take the appropriate actions internally.”


The whole incident came into light when the French security researcher, Elliot Alderson gained access to BSNL's intranet website, by injecting an SQL (a process used to attack data-driven applications, when an attacker injects a code, inserting nefarious SQL statements into an entry field for execution).

It allowed the attacker to dump all the database of the BSNL intranet, which contains details about more than 47000 BSNL employees’ including senior official’s information, administrator’s information and information regarding retired employees.

The researcher tweeted that the issue was first spotted by an IITian and gave credit to a Twitter profile named @kmskrishna. Sai Krishna Kothapalli is a Computer Science and Engineering undergrad at IIT Guwahati.


Two years back Kothapalli in a series of tweets, mails and calls had tried informing the senior officials of BSNL; but he never got a response from any of them. He tweeted, “Tweeted this 2 years ago after all the deliberate attempts I made to contact BSNL. Didn't get any reply. Now as you can see, @fs0c131y used the same vulnerability to hack BSNL.”


Elliot (twitter handle @fs0c131y) also tweeted that the BSNL Intranet site was also attacked by a ransomware but it went unnoticed.