z-aki

India Post autofill consignment from URL

Sat, 14 Mar 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/India Post autofill consignment from URL.user.js::100"

Helpful Tampermonkey Scripts

Sat, 14 Mar 2026 00:00:00 +0530

Home ▶ Tampermonkey

Helpful Tampermonkey Scripts

--8<---- "docs/tampermonkey/warning.txt"

Works with Tampermonkey extension on Firefox, Chrome...

Aadhaar Tathya input type number

Mon, 12 Jan 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/Aadhaar Tathya input type number.user.js::100"

IPGRS karnataka remove waiting GIF

Mon, 12 Jan 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/IPGRS karnataka remove waiting GIF.user.js::100"

Indian Bank domain redirect

Mon, 12 Jan 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/Indian Bank domain redirect.user.js::100"

Indian bank CGRS autofill complaint from URL

Mon, 12 Jan 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/Indian bank CGRS autofill complaint from URL.user.js::100"

Namma BMTC AVLS width auto

Mon, 12 Jan 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/Namma BMTC AVLS width auto.user.js::100"

RTIonline Karnataka captcha and credential autofill

Mon, 12 Jan 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/RTIonline Karnataka captcha and credential autofill.user.js::100"

RTIonline allow paste

Mon, 12 Jan 2026 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/RTIonline allow paste.user.js::100"

EPFO allow password OTP paste

Tue, 02 Dec 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_y/EPFO allow password OTP paste.user.js::100"

HDFC pension remove waiting GIF

Sun, 12 Oct 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_n/HDFC pension remove waiting GIF.user.js::100"

Indian bank Credit Card expand terms and conditions

Sun, 12 Oct 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_n/Indian bank Credit Card expand terms and conditions.user.js::100"

PGportal allow password paste and reveal OTP

Sun, 12 Oct 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_n/PGportal allow password paste and reveal OTP.user.js::100"

SSO Rajasthan allow paste and right click

Sun, 12 Oct 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_n/SSO Rajasthan allow paste and right click.user.js::100"

Twitter full links in tweets

Sun, 12 Oct 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_n/Twitter full links in tweets.user.js::100"

Bimabharosa IRDAI

Fri, 12 Sep 2025 00:00:00 +0000

Home ▶ Vulnerabilities ▶ Vulnerability Analysis and disclosures

The Bima Bharosa portal (https://bimabharosa.irdai.gov.in) had a vulnerability in its complaint history API that allowed access to sensitive complaint details by simply incrementing the complaint ID. This exposed personal and claim information of policyholders without authentication.

Summary of the vulnerabilities:

| Sr | API | Date reported | Date fixed | Days taken | CERT-in reference number ||----|-----|--------------|------------|------------|--------------------------|| 1 | GetComplainthistorydata | 18 November 2024 | before 30 November 2024 | less than 12 days | 68209424 || 2 | encrypted GetComplainthistorydata | 30 November 2024 | 1 January 2025 | 31 days | 68209424 |

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-284 Improper Access Control, CWE-285 Improper Authorization
A04 2021 Insecure Design: Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication

Council of Insurance Ombudsman CIOINS API Vulnerabilities 2024

Fri, 12 Sep 2025 00:00:00 +0000

Home ▶ Vulnerabilities ▶ Vulnerability Analysis and disclosures
Council of Insurance Ombudsman CIOINS website (https://cioins.co.in) had numerousvulnerabilities covering several OWASP TOP 10 categories in 2024. The vulnerabilities allowedaccess to a complainant's phone, email, address, dob, policy number, complaint detailsand any award passed. After reporting itto CERT-in (CIOINS doesn't have a direct email for this), they simply masked the issue with bogusencryption with key exposed in the front-end source code.

After a followup, a proper fix was implemented but with significant delay.

Summary of the vulnerabilities:

| Sr | API | Date reported | Date fixed | Days taken | CERT-in reference number ||----|------|---------------|------------|------------|--------------------------|| 1 | FetchComplaintDetails | 16 November 2024 | 9 December 2024 | 21 | 07586124 || 2 | RetrieveData | 16 November 2024 | 9 December 2024 | 21 | 07586124 || 3 | FetchComplaints | 16 November 2024 | 9 December 2024 | 21 | 07586124 || 4 | encrypted FetchComplaintDetails | 9 December 2024 | 20 January 2025 | 41 (63 from original) | 07586124 || 5 | encrypted RetrieveData | 9 December 2024 | 20 January 2025 | 41 (63 from original) | 07586124 || 6 | encrypted FetchComplaints | 9 December 2024 | 20 January 2025 | 41 (63 from original) | 07586124 |

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-284 Improper Access Control, CWE-285 Improper Authorization
A02 2021 Cryptographic Failures: CWE-321 Use of Hard-coded Cryptographic Key
A04 2021 Insecure Design: CWE-73 External Control of File Name or Path, Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

E-Jagriti portal vulnerabilities 2025

Fri, 12 Sep 2025 00:00:00 +0000

Home ▶ Vulnerabilities ▶ Vulnerability Analysis and disclosures
The EJagriti portal (https://e-jagriti.gov.in), which is an upgrade ofe-daakhil portal, is mandatory for consumer complaint filing and tracking.Any complaint has to be uploaded on this portal before submitting it to theconsumer commission registry. It is developed and maintained by NIC(https://nic.gov.in)and content owned by the Department Of Consumer Affairs, Ministry Of Consumer Affairs,Food & Public Distribution, Government Of India.

These vulnerabilities allowed access to all casedocuments (including sensitive information such as ID proofs, affidavits withsign, complaint details, and depending on the case: medical records, bankdetails, purchase details, land records etc. ) in a trivial manner. Further,the case reference ID, being a serially increasing number, allowed serialaccess to all other users' case documents.

Summary of the vulnerabilities

| Sr | API | Date reported | Date fixed | Days taken | CERT-in reference number ||----|------|---------------|------------|------------|--------------------------|| 1 | CaseFilingDocumentDetails | 31 May 2025 | Partial fix before 17 June. Full fix never confirmed to me. Guessing July | 18-47 | 38480225 || 2 | getAllComplainantRespondantDetails | 31 May 2025 | Partial fix before 17 June. Full fix never confirmed to me. Guessing July | 18-47 | 38480225 |

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
A04 2021 Insecure Design: Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

Indigo Vulnerability 2022-2024 and Air india vulnerability 2025

Fri, 12 Sep 2025 00:00:00 +0000

Home ▶ Vulnerabilities ▶ Vulnerability Analysis and disclosures
Interglobe Indigo's manage booking portal(https://www.goindigo.in/edit-booking.html) and Air India Express (https://www.airindiaexpress.com/manage)leaked a passenger's number, email, date of birthaddress and emergency contact information by a PNR and name of a passenger. Even though the content is masked in the UI,the network activity shows the full data.

This was originally reported to Indigo in 2022 but was not fixed.

Tweet by @_sirius93 exposing this vulnerability in 2022 https://twitter.com/_sirius93_/status/1508423479594733568
Tweet by Indigo denying this and not fixing the issue https://twitter.com/IndiGo6E/status/1508748146717130758
News covering this incident

After reporting via email to Indigo in July 2024, an incomplete fix was implemented.

After reporting to CERT in November 2024, Indigo implemented a complete fix.

Air India warns its customers to not display PNR online in its tweets and asks them to share it via DMs.

Summary of the vulnerabilities:

| Sr | API | Date reported | Date fixed | Days taken | CERT-in reference number ||----|------|---------------|------------|------------|--------------------------|| 1 | Indigo itinerary | 28 March 2022, 22 July 2024, 23 November 2024 | December 2024 | 1009, 162, 39 | 64401624 || 2 | Air India RetrieveData | 2 August 2025 | September 2024 | 30 | 25019125 |

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-284 Improper Access Control, CWE-285 Improper Authorization
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

LIC cyber vulnerabilities and data breaches 2024-2025

Fri, 12 Sep 2025 00:00:00 +0000

Home ▶ Vulnerabilities ▶ Vulnerability Analysis and disclosures
The Life Insurance Corporation of India (LIC) had 6 vulnerabilities in October 2024, December 2024 and April 2025 in their https://esales.licindia.in website (developed by iNube software solutions). Two of them allowed serial access to policy forms of prospect customers containing Name, DOB, email, phone, PAN card, income tax forms, aadhaar (or other IDs), signature, photo, medical history, address, income, nominees, other policy purchase details, etc.

The story was covered only in Medianama.

Medianama article by Sakshi Sadashiv K, 20 December 2024
MoneyControl added a small paragraph in a story, 6 months after the incidents based on some "social media posts" (which weren't cited as sources either) https://www.moneycontrol.com/banking/india-s-insurance-sector-faced-maximum-cyber-onslaught-in-fy25-article-13131547.html

Summary of the vulnerabilities:

| Sr | API | Date reported | Date fixed | Days taken | CERT-in reference number ||----|------|---------------|------------|------------|--------------------------|| 1 | GenericDocumentViewer | 16 October 2024 | 23 October 2024 | 7 | not assigned due to non-reproducibility (due to delay in reporting it to CERT after reporting it to LIC) || 2 | GetPayLoadByQueryDynamic | 16 October 2024, 6 December 2024 | 5 February 2025 | 112, 52 | CERTIn-80801824 || 3 | GetDocumentByIdPost | 9 December 2024 | 28 January 2025 | 50 | CERTIn-80801824 || 4 | GetUserByUserIdPost | 9 December 2024 | 28 January 2025 | 50 | CERTIn-80801824 || 5 | GenericSPApi | 9 December 2024 | 28 January 2025 | 50 | CERTIn-80801824 || 6 | GetQuoteDetailByNumberPost | 4 June 2025 | 25 July 2025 | 51 | CERTIn-38009725|

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
A04 2021 Insecure Design: CWE-73 External Control of File Name or Path, Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

Manipal Hospitals pvt ltd vulnerability 2024

Fri, 12 Sep 2025 00:00:00 +0000

Home ▶ Vulnerabilities ▶ Vulnerability Analysis and disclosures
The Manipal hospital pvt ltd has a mandatory registration process on its kiosk https://kiosk.manipalhospitals.comfor OPD consultations.The portal collects a lot of information within minutes but the same personal data deletion takes 3-4 months.

The portal had numerous vulnerabilities that allowed access to the user's personal data in a serial manner. One API provided the login OTP back to the person logging-in, defeating its whole point. In others, data was flimsyly "protected" just by a static Authorization header exposed in the front-end code.

Summary of the vulnerabilities:

| Sr | API | Date reported | Date fixed | Days taken | CERT-in reference number ||----|------|---------------|------------|------------|--------------------------|| 1 | KioskOtpVerification | 27 December 2024 | Never reverted | more than 60 days | 91742724 || 2 | PatientVisitHistory | 27 December 2024 | Never reverted | more than 60 days | 91742724 || 3 | PatDetailsByMobileNo | 27 December 2024 | Never reverted | more than 60 days | 91742724 |

Root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
A02 2021 Cryptographic Failures: CWE-321 Use of Hard-coded Cryptographic Key
A04 2021 Insecure Design: Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

The New India Assurance Co Ltd Alleged Vulnerability 2024

Fri, 12 Sep 2025 00:00:00 +0000

Home ▶ Vulnerabilities ▶ Vulnerability Analysis and disclosures
An alleged vulnerability in the New India Assurance website allowed downloading sensitive personal information of policyholder simply by the policy number.

Summary of the alleged vulnerabilities:

| Sr | API | Date reported | Date fixed | Days taken | CERT-in reference number ||----|------|---------------|------------|------------|--------------------------|| 1 | getPolicyDetails | 31 October 2024 | before 18 November 2024 | Less than 18 | not assigned due to non-reproducibility (due to delay in reporting it to CERT after reporting it to NIA) |

Alleged root cause in OWASP terms:

A01 2021 Broken Access Control: CWE-35 Path Traversal, CWE-284 Improper Access Control, CWE-285 Improper Authorization
A04 2021 Insecure Design: Insecure Direct Object Reference
A07 2021 Identification and Authentication Failures: CWE-287 Improper Authentication, CWE-613 Insufficient Session Expiration

It is important to note that the company denied existence of any vulnerability.

Vulnerability Analysis and disclosures

Fri, 12 Sep 2025 00:00:00 +0530

Home ▶ Vulnerabilities

Vulnerability Analysis and disclosures

CERT-in has been very responsive and helpful in reacting to incident reports and g...

Income tax portal allow paste

Thu, 04 Sep 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_n/Income tax portal allow paste.user.js::100"

Reddit old expand all posts

Thu, 04 Sep 2025 00:00:00 +0000

Home ▶ Tampermonkey ▶ Helpful Tampermonkey Scripts

Install latest with possible future updatesORInstall fixed script with no updatesjs show_lines="1:10"---8<--- "docs/tampermonkey/upd_n/Reddit old expand all posts.user.js::100"

BSNL autofill username password