Security
Sensitive information belonging to thousands of bank employees responsible for managing India's .bank.in domains was allegedly exposed through security flaws in the domain registration portal operated by the Institute for Development and Research in Banking Technology (IDRBT), according to a security researcher.
The allegations relate to the registrar.idrbt.ac.in portal, which serves as the exclusive registrar for the .bank.in namespace introduced by the Reserve Bank of India (RBI) last year to strengthen the security of banking websites and reduce phishing attacks.
In a report published by digital payments advocacy group CashlessConsumer, researcher Srikanth L alleged that the portal exposed more than 33 unauthenticated REST API endpoints, allowing anyone to retrieve sensitive information without authentication.
According to the report, the exposed data included bcrypt password hashes, mobile numbers, email addresses, login IP addresses and device fingerprints belonging to 5,576 bank employees responsible for administering .bank.in domains.
The researcher further claimed the exposed APIs enabled access to infrastructure-related information, revealing that some Indian banks host websites on shared servers located in the United States, Singapore and Lithuania.
The analysis also identified several security gaps across registered .bank.in domains. According to the report, about 80% of domains do not use DNS Security Extensions (DNSSEC), roughly 40% lack the Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication protocol, and many rely on free TLS certificates issued by Let's Encrypt.
The report alleges the registration portal operated without a comprehensive security audit and exposed unsecured APIs for approximately 13 months.
Srikanth L said he privately disclosed the vulnerabilities to IDRBT in early June and that the organization has since remediated the exposed APIs. The researcher also published information obtained through the APIs in a GitHub repository, stating that it would help security researchers better understand India's banking infrastructure.
The findings raise concerns because the exposed administrative information could potentially be used to target bank employees in phishing, credential theft or social engineering attacks, undermining one of the primary objectives behind the RBI's introduction of the .bank.in domain.
The Reserve Bank of India introduced the dedicated .bank.in namespace in 2025 and directed banks to migrate their online presence to the new domain to provide customers with a trusted way to identify legitimate banking websites and reduce online fraud.
The allegations relate to the registrar.idrbt.ac.in portal, which serves as the exclusive registrar for the .bank.in namespace introduced by the Reserve Bank of India (RBI) last year to strengthen the security of banking websites and reduce phishing attacks.
In a report published by digital payments advocacy group CashlessConsumer, researcher Srikanth L alleged that the portal exposed more than 33 unauthenticated REST API endpoints, allowing anyone to retrieve sensitive information without authentication.
According to the report, the exposed data included bcrypt password hashes, mobile numbers, email addresses, login IP addresses and device fingerprints belonging to 5,576 bank employees responsible for administering .bank.in domains.
The researcher further claimed the exposed APIs enabled access to infrastructure-related information, revealing that some Indian banks host websites on shared servers located in the United States, Singapore and Lithuania.
The analysis also identified several security gaps across registered .bank.in domains. According to the report, about 80% of domains do not use DNS Security Extensions (DNSSEC), roughly 40% lack the Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication protocol, and many rely on free TLS certificates issued by Let's Encrypt.
The report alleges the registration portal operated without a comprehensive security audit and exposed unsecured APIs for approximately 13 months.
Srikanth L said he privately disclosed the vulnerabilities to IDRBT in early June and that the organization has since remediated the exposed APIs. The researcher also published information obtained through the APIs in a GitHub repository, stating that it would help security researchers better understand India's banking infrastructure.
The findings raise concerns because the exposed administrative information could potentially be used to target bank employees in phishing, credential theft or social engineering attacks, undermining one of the primary objectives behind the RBI's introduction of the .bank.in domain.
The Reserve Bank of India introduced the dedicated .bank.in namespace in 2025 and directed banks to migrate their online presence to the new domain to provide customers with a trusted way to identify legitimate banking websites and reduce online fraud.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.




