# IDRBT Domain Registrar Portal — Evidence Archive

**Compiled:** 2026-06-08
**Portal:** https://registrar.idrbt.ac.in/
**Investigator:** CashlessConsumer
**Status:** Live verified

## Contents

This archive documents the security posture, vendor history, and procurement of India's exclusive .bank.in domain registry, operated by IDRBT and developed by IKCON Technologies.

### 1. Analysis

| File | Description |
|---|---|
| [analysis/bank.in-SECURITY-ANALYSIS.md](./analysis/bank.in-SECURITY-ANALYSIS.md) | Full technical comparison of fTLD .bank (global) vs IDRBT .bank.in (India) across 12+ security layers |
| [analysis/bank.in-HISTORY.md](./analysis/bank.in-HISTORY.md) | Complete chronological history: 2014 fTLD launch → 2026 current state |
| [analysis/PROCUREMENT-RESEARCH.md](./analysis/PROCUREMENT-RESEARCH.md) | Procurement analysis: no public tender found, vendor identified as IKCON |
| [analysis/PORTAL-ANGULAR-ANALYSIS.md](./analysis/PORTAL-ANGULAR-ANALYSIS.md) | Original decompilation report: architecture, routes, endpoints, auth status |

### 2. Disclosure

| File | Description |
|---|---|
| [disclosure/security-findings-summary.md](./disclosure/security-findings-summary.md) | Concise findings summary suitable for responsible disclosure reporting |

### 3. Evidence

| File | Description |
|---|---|
| [evidence/data-summary.md](./evidence/data-summary.md) | Aggregate statistics from the extracted portal data (no raw PII) |
| [evidence/schemas/](./evidence/schemas/) | JSON schemas for all 26 unauthenticated API endpoints |
| [evidence/source-code/](./evidence/source-code/) | Select decompiled Angular source files demonstrating auth gaps |
| [evidence/pdfs/](./evidence/pdfs/) | Official IDRBT documents: Terms & Conditions, Registration Flow, Privacy Policy, DRO Training, VAPT RFP |

### 4. Media Reports

| File | Description |
|---|---|
| [media-reports/TOI-IDRBT-Pilot-Fed-2025.md](./media-reports/TOI-IDRBT-Pilot-Fed-2025.md) | Times of India (Feb 2025) — Pilot announcement: 20 banks, Feb 24 start |
| [media-reports/TOI-IDRBT-Most-Banks-Shifted-Jun-2026.md](./media-reports/TOI-IDRBT-Most-Banks-Shifted-Jun-2026.md) | Times of India (Jun 2026) — Status update: "most banks shifted" |
| [media-reports/HackerNews-RBI-bank-in-Feb-2025.md](./media-reports/HackerNews-RBI-bank-in-Feb-2025.md) | The Hacker News (Feb 2025) — International coverage of RBI move |
| [media-reports/Elets-RBI-bank-in-deadline.md](./media-reports/Elets-RBI-bank-in-deadline.md) | Elets BFSI (2025) — RBI deadline details |
| [media-reports/register.bank-RBI-analysis.md](./media-reports/register.bank-RBI-analysis.md) | Register.bank (fTLD) analysis of RBI requirements |
| [media-reports/IDRBT-tenders-page.md](./media-reports/IDRBT-tenders-page.md) | IDRBT's public tenders page (2020-2027) — no software development tenders found |
| [media-reports/IKCONTech-homepage.md](./media-reports/IKCONTech-homepage.md) | IKCON Technologies website — vendor profile with cooperative bank testimonials |
| [media-reports/IKCONTech-our-story.md](./media-reports/IKCONTech-our-story.md) | IKCON "Our Story" page — founding, leadership, client base |
| [media-reports/fTLD-security-requirements.md](./media-reports/fTLD-security-requirements.md) | Benchmark: fTLD official security requirements page |
| [media-reports/fTLD-policies.md](./media-reports/fTLD-policies.md) | Benchmark: fTLD official policies and requirements |
| [media-reports/fTLD-implementation-guide.md](./media-reports/fTLD-implementation-guide.md) | Benchmark: fTLD implementation guide for .bank domains |
| [media-reports/fTLD-security-technical-details.md](./media-reports/fTLD-security-technical-details.md) | Benchmark: fTLD technical security specification (18+ port TLS scanning, etc.) |
| [media-reports/EasyDMARC-fTLD-partnership.md](./media-reports/EasyDMARC-fTLD-partnership.md) | EasyDMARC article — fTLD's DMARC enforcement partnership |
| [media-reports/register.bank-homepage.md](./media-reports/register.bank-homepage.md) | Register.bank — reference for global .bank registration |

## Live Scan Data

DNS and HTTP security headers were scanned live on 2026-06-08. Sample size: 15-30 .bank.in domains.

## Disclaimer

This archive is prepared for responsible disclosure purposes. The raw user data (PII) extracted from the portal is NOT included in this public archive to protect the affected individuals. Aggregate statistics and JSON schemas are provided as evidence of the data exposure.

## Evidence Updates (2026-06-08)

**Strengthened findings added to audit:**

1. **Rate limiting absent** — 30 sequential reqs to /api/dr/user/activeUser, all 200 OK
2. **fTLD enforcement verified** — 4/4 sampled .bank domains have DNSSEC + HSTS (live-tested)
3. **Super Admin escalation** — 47% of all user records (2573/5461) have Super Admin role by default
4. **47% privilege exposure** — 1090 accounts with Super Admin + orgId=0 (global, unrestricted)
5. **UAT bleed into production** — envName=UAT in prod config, 99 test/UAT domains in billing
6. **Terms & Conditions clause** — full text of the sole security requirement extracted from PDF