A serious flaw found in the the Indian Government’s DigiLocker application has put personal details of over 3.8 crores citizens at risk. Created under the Digital India initiative by the federal government, the DigiLocker app offers cloud access to every Aadhar user to keep digital copies of authentic documents/certificates like driving license, vehicle registration, academic mark sheet etc.
The bug which was discovered by a security researcher Ashish Gehlot last month allowed intruders with some technical knowledge to easily bypass the two-factor authentication required to sign in the application exposing the sensitive personal information.
- Ethical hacker claims data breach via Aarogya Setu app
- Data breach on Indian mobile payment app BHIM exposes 7 million records
- Covid-19 wristbands trigger surveillance fears in India
According to the Gehlot, he was able to manipulate the login process with the help of basic user information like Aadhar and by intercepting and changing the parameters of the applications’ connection to the server. The flaw meant that the unauthorized users could log in, create a new pin and get unrestricted access to the private data stored on the cloud server all without even entering a password.
While Gehlot had identified and reported the vulnerability last month, it was partially fixed within a couple of days. However, the OTP bypass issue was fixed yesterday only. As of now, there is no clarity if this data was accessed or misused by any unauthorized users.
This is not the first time that an Indian government’s application has been found vulnerable. Last month, a security researcher found issues in the Aarogya Setu mobile app that has been mandated by the government and is used for first-level screening and contact tracing against Covid-19.
Just yesterday, a data breach in the government-backed Bhim payment app exposed highly sensitive personal data of over 70 million people.
- The best Android apps of June 2020