Security Flaws Reported in IDRBT Portal Managing .bank.in Domains

The420.in Staff
3 Min Read

A security researcher has alleged that sensitive data linked to India’s newly introduced .bank.in domain registration system was exposed due to security flaws in the portal managed by the Institute for Development and Research in Banking Technology (IDRBT), raising concerns over the protection of banking infrastructure.

The allegations relate to the .bank.in subdomain launched by the Reserve Bank of India in 2025. Under the initiative, all banks were required to adopt the new domain format for their online presence as part of efforts to strengthen protection against phishing and online fraud. A security researcher has alleged that the portal responsible for managing the registrations failed to adequately protect sensitive information, potentially exposing critical data.

Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference

Alleged exposure of banking data

According to a report and an accompanying post published by CashlessConsumer, the IDRBT Domain Registration Portal allegedly exposed its REST API through 33 unauthenticated endpoints. The post claims this allowed access to bcrypt password hashes, mobile numbers, email addresses, login IPs and device fingerprints associated with 5,576 bank employees involved in managing India’s banking domains.

The researcher, said the portal also revealed that some Indian banks hosted websites on shared servers located in the United States, Singapore and Lithuania. The findings further alleged that around 80 percent of registered .bank.in domains lacked DNSSEC protection, while about 40 percent did not use the DMARC email authentication protocol. The report also stated that many domains relied on free Let’s Encrypt certificates.

Security concerns and remediation claims

The researcher further alleged that the registration portal operated for 13 months without a proper security audit and without secure APIs. According to the report, the findings were disclosed to IDRBT in early June, after which the organisation is said to have fixed the identified security flaws.

Potential risks highlighted

The report warns that if the exposed API had been misused, attackers might have been able to obtain credentials and information relating to senior banking personnel. It notes that such access could potentially support attacks including DNS spoofing and phishing, undermining the security objectives behind the mandatory adoption of the .bank.in domain.

Stay Connected