A critical vulnerability in Kerala's Local Self-Government Department website allowed individuals to pay as little as ₹1 as property tax instead of the full amount. Despite being alerted nearly a month ago, the issue remains unresolved.
The flaw was discovered by Edwin Shajan, a 20-year-old ethical hacker from Kerala. Edwin, a final-year BCA student at Christ University, reported the flaw to the National Critical Information Infrastructure Protection Centre. However, there was no steps to rectify the issue.
Edwin explained that the bug permits tampering with the payment amount using Burp Suite, a widely used tool for security assessment and penetration testing of web applications. This vulnerability stems from the inadequate validation and security of the payment data sent to the server.
During his testing, Edwin successfully modified the payment amount sent to the server. Upon completing the payment, he intercepted the successful response, including the payment amount, and reverted it to display the original amount. This manipulation allowed him to pay just ₹1 while generating a receipt for the full property tax amount.
The ethical hacker also revealed that the LSG Department's website operates on Sanchaya, an e-governance application with inadequate validation and tampering checks in the payment request/response cycle. Despite the potential for fraudulent payments and revenue loss for the state government, Edwin has encountered a dismissive attitude from government officials. Currently, property tax payments for 941 panchayats in Kerala are processed through the Sanchaya application, while payments for municipalities and corporations have transitioned to the K-SMart application.
"I directly contacted the officials [handling the IT infra for the department], but they have not fixed it yet. To my surprise, one officer from [LSG department] even responded to this information by saying, ‘Athinu njan enth venam? (So, what should I do?)’," says Edwin, who reported approximately 180 bugs in Indian websites during the final quarter of 2024. THE WEEK learned from an official that the software team at the Information Kerala Mission, responsible for the software, have been aware of the vulnerability for at least two weeks, yet the issue remains unresolved.
On January 1, 2025, Edwin tested the vulnerability again by paying the property tax for a friend. "We went to the village office to verify if the full amount was reflected, and it was," Edwin said. "When my friend informed the officials that only ₹1 had been paid and expressed a desire to pay the remaining amount, the officials insisted the full amount had already been paid. After further explanation, they handed him an A4 sheet to submit a formal complaint. He did so, hoping the issue would be patched."
On December 31, Edwin reported a series of critical security vulnerabilities he discovered on the official website of the Ministry of Environment, Forest, and Climate Change. He found that sensitive information was exposed in publicly accessible PDF documents indexed by search engines. This vulnerability could potentially allow unauthorized access to accounts without any authentication.
He also identified an account takeover vulnerability on the website, which exploited weaknesses in the "forgot password" feature to bypass authentication. Additionally, Edwin reported that the website was susceptible to an insecure direct object reference (IDOR) attack—a type of vulnerability where attackers can gain unauthorized access by modifying numerical values in the URL.
