The Reserve Bank of India’s .bank.in domain registration system exposed sensitive data of thousands of bank employees for at least 13 months, according to an independent researcher’s report published this week. The vulnerability was linked to the backend system of the Institute for Development and Research in Banking Technology (IDRBT), which manages the registrar.idrbt.ac.in portal for .bank.in domains.
Researcher Srikanth L, who runs the consumer collective Cashless Consumer, detailed the security flaws in a blogpost and accompanying report. He found over 33 unauthenticated endpoints on the IDRBT portal that allowed access to sensitive information without any security checks. The RBI had made adoption of the .bank.in domain mandatory in February 2025 to create a trusted digital identity for banks, but no independent security audit was conducted before launch. The vulnerabilities were fixed after being discovered.
The .bank.in domain suffix was introduced by the RBI as a digital mark of trust to help citizens verify official bank websites. However, the lack of security measures in the registration portal undermined this goal by exposing confidential data. The incident highlights risks in government-mandated digital infrastructure when security is not prioritized. The IDRBT, based in Hyderabad, is responsible for managing the domain registry and has faced criticism for the oversight.
Srikanth’s investigation and detailed report, including a blogpost and GitHub repository, provide a comprehensive account of the vulnerabilities and their impact. RBI notices from February and April 2025 outline the rollout of the .bank.in domain. The security flaws were present for over a year before being addressed, underscoring the need for rigorous independent audits in critical digital systems.