# IDRBT Domain Registrar Portal — Security Findings Disclosure

**Date:** 2026-06-08
**Portal:** https://registrar.idrbt.ac.in/
**Investigator:** CashlessConsumer
**Status:** Documented, not yet reported to IDRBT/CERT-In

## Summary

A security analysis of the IDRBT Domain Registration Portal — the exclusive registry for .bank.in domains — found 26 unauthenticated API endpoints exposing 5,576 user records (including bcrypt password hashes), 1,535 billing records (₹4.52 crore), and 1,072 orphan accounts with Super Admin privileges. The portal, developed without public tender by IKCON Technologies, has no mandatory security baselines for its ~1,500 registrant domains.

## Key Findings

### Critical (Data Exposure)
1. **5,461 user records** via unauthenticated `/api/dr/user/all` — includes emails, phones, bcrypt hashes, IPs, device fingerprints
2. **1,072 orphan accounts** — 100% Super Admin role, unassociated with any organization
3. **219 deleted records** — soft-deleted, not purged, still accessible
4. **1,535 billing records** — organization names, GST, PAN, addresses, payment history

### Critical (Systemic)
5. **No security baselines** — DNSSEC, HSTS, DMARC, CAA all optional. 40% of .bank.in domains have no email spoofing protection
6. **No public tender** — vendor IKCON appointed without visible procurement process
7. **Vendor Super Admin access** — 3 IKCON employees have orgId=0 global access
8. **26 endpoints without auth** — 11 user management, 5 auth-flow, 2 billing, 5 config, 3 DSC proxy

### High (Registry Infrastructure)
9. **No vulnerability disclosure program** — no security.txt, no bug bounty
10. **No automated compliance scanning** — unlike fTLD's weekly scans
11. **Weak entity verification** — DV certificates accepted for banking domains
12. **UAT config in production** — `environment.prod.ts` has `envName: "UAT"`

## Scope

- **Tested:** Production domain `registrar.idrbt.ac.in` (2026-06-07/08)
- **Method:** Static decompilation of Angular app, live HTTP verification of 25+ endpoints
- **Data accessed:** As documented in `/evidence/data-summary.md`
- **No exploitation:** Read-only GET requests to confirm endpoint accessibility

## Recommended Remediations

1. **Immediately:** Add JWT auth to all 26 unauthenticated endpoints
2. **Immediately:** Purge soft-deleted records containing PII
3. **Immediate:** Lock orphan Super Admin accounts
4. **90 days:** DMARC `p=reject` enforcement for all .bank.in domains
5. **90 days:** DNSSEC mandatory for all domain delegations
6. **90 days:** HSTS preload submission for .bank.in TLD
7. **180 days:** Open security.txt, bug bounty, and vulnerability disclosure program
8. **180 days:** Vendor access audit and deprovisioning
9. **180 days:** Public RFP for all future registry development
10. **Ongoing:** Weekly compliance scanning, annual security audit

## Comparison: fTLD .bank (Global)

The global .bank TLD (fTLD Registry Services) enforces: mandatory DNSSEC, mandatory DMARC p=reject, mandatory HSTS, EV/OV certificates minimum, TLS 1.2+ scanning on 18+ ports, weekly compliance audits, phishing takedown, CT log monitoring, and bug bounty. IDRBT's .bank.in has none of these.

## Evidence Archive

A complete evidence archive including source code, data schemas, policy documents, and media reports is available at [this page](https://zo.pub/cashlessconsumer/idrbt-bankin-security).

## Credits

CashlessConsumer — Fintech & DPI research