🟠 High | Source: The Register — Security
The Reserve Bank of India mandated that banks use .bank.in domains to boost trust and reduce phishing, but the registry managing those domains exposed an open API leaking sensitive registrant data — including contact details and organisational information about bank officials. This undermines the very trust mechanism it was designed to create, giving attackers everything needed to craft convincing impersonation attacks.
Security Architect’s Take: If your organisation operates in or integrates with Indian financial services, review any third-party domain registry dependencies for unauthenticated API exposure. More broadly, this is a reminder that trust infrastructure (domain registries, certificate authorities, identity providers) must itself be subjected to rigorous security assurance — treat them as critical supply chain components and assess their security posture accordingly.
Original advisory: India’s central bank mandated use of .bank domains to enhance trust – but its registry leaked sensitive info