Profile picture
, 21 tweets, 12 min read
My Authors
Read all threads
Massive data breach from @NPCI_BHIM app.

"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals."

vpnmentor.com/blog/report-cs… Image
This project was run by @CSCegov_ which comes under @OfficeOfRSP to promote private and foreign bank owned company @NPCI_NPCI's app.

cscbhim.in/static/fronten… Image
#DigitalIndia in one picture.

Minister thanks an IT cell drone whose account has since been suspended.

twitter.com/vikramjit_datta Image
Will Chowkidar sarkar come up with another power point presentation about their @13footwall security?

Will they deploy a senior babu like @rssharma3 to claim that all this data was already in the public domain so there's no real loss/risk to anybody?

As expected... another blanket denial of reality from @NPCI_BHIM

Is the same "high level of security" demanded from your customer onboarding partner @CSCegov_

Why were they collecting all these documents for BHIM related work?

Who authorised them?

When the blog post went up yesterday and even when I made the tweet this morning, the CSC-BHIM website was not using HTTPS.

They have hurriedly pruchased a certificate to cover up this oversight and the idiots couldn't even buy the right certificate.

cscbhim.in Image
The morons at @CSCegov_ don't know that a certificate issued for AltNames "www dot cscbhim dot in" and "* dot cscbhim dot in" will not work for "cscbhim dot in"

And why would they even add www dot cscbhim dot in as an AltName when "* dot cscbhim dot in" will match that? Image
Let's play a game!

Will @CSCegov_ dump their one day old certificate and buy a new one that works for "cscbhim dot in"?

Or will they force their website to serve on "www dot cscbhim dot in" breaking all their existing docs and training material?
Here's a screenshot of the wrong certificate with more details. Image
BREAKING: Creator of @NPCI_BHIM app blames @CSCegov_ under Minister @rsprasad for this massive data leak.

In case he decides to delete his tweet. Image
And here's the source of the leak.

Chowkidar sarkar was growth hacking their 'less cash economy' dream.

Not only is there more cash in circulation today, millions of non-tech savvy Indians have been put at risk of Identity theft.

In more #DigitalIndia #FAIL the open S3 bucket secrets were stored in clear text in the mobile app.

Because they couldn't be arsed to arsed to RTFM and use pre-signed URLs.

docs.aws.amazon.com/sdk-for-ruby/v…

How does the govt. employing people to install apps on other people's phones in this manner count as consent /"informed consent"?

Remember they also offered bait of weekly/monthly cash lottery with prizes worth a lakh to get people to install the app.

cscbhim.in/static/fronten… Image
Not only did @CSCegov_ get their VLEs to install the app, they had to perform two transactions of '5-5 rupees' from their UPI app.

How much did @CSCegov_ compensate the VLEs for spending Rs10 from their pocket per onboarded merchant?

Who paid for it? Us taxpayers? Image
If you ever wondered how so many people fall victim to UPI scams where scamsters install screensharing apps to take control of phones.

It's because the govt. through such @CSCegov_ VLEs has normalised this behaviour of people allowing others to install apps on their phones.
Nearly 1 in 5 @SetuAarogya installs too have been done by @CSCegov_ VLEs on phones of tech-illiterate people.

In the middle of a pandemic the govt was literally getting strangers to share mobile phones and touch their screens.

thehindubusinessline.com/info-tech/cscs…
Remember the govt got rid of biometric attendance for its employees on March 6th to curb the spread of the virus.

But in the middle of a lockdown they got VLEs to handle other people's phones to install an app.

What if a VLE was COVID +ve?

Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with @kingslyj

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#DigitalIndia #FAIL

More from @kingslyj see all

Profile picture
@kingslyj
@kingslyj
Horrible idea.

The only historical data location data govt. can access is cell tower based triangulation.(Assuming operators have it.)

Accuracy of cell tower location is anywhere from a few hundred metres to a few kms.

Many many times the distance the virus can infect you.
For real time tracking, the COVID-19 patients will need to be carrying their mobile phone with them at all times with a govt. spyware app installed on their phone.

Which is an even more horrible idea, because it's literally a beacon for rabid mobs to find you.
The Corona Kavach app needs access to

- Location (Netowrk and GPS)
- Phone Status and identity.
- Bluetooth
- Full Network access.

but....
Read 30 tweets
Profile picture
@kingslyj
@kingslyj
Earlier today Health Minister was blaming anti-social elements planning to end the curfew and step out at 9PM.
The real anti-social elements turned out to his own party supporters following the chowkidar's orders to clang empty vessels....

They broke the curfew 4 hours before it ends.

And here's an idiot cabinet colleague of @drharshvardhan

Out with strangers at 5PM and literally blowing his horn to appease the chowkidar!

Cabinet of morons who cannot even lead by example.

Read 15 tweets
Profile picture
@kingslyj
@kingslyj
So many apps think they get to dictate what their customers can and cannot do with phones their customers have purchased with their own money.

So many apps still complain about rooted phones.

How long before they flag their competitors' apps as threats?
Since @Paytm is so concerned about apps that can "steal" their customers' "confidential data"

Let's take a look at what kind of "confidential data" the @Paytm app "steals" from their customers. Image
@Paytm Why the F*** does @Paytm need to know what apps their
customers are using?

Does your bank ask to audit your PC before using netbanking?

Who appointed @Paytm the chowkidar of your customers' phones @vijayshekhar ? Image
Read 15 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!