India’s national Aadhaar database has once again been flagged for a major security vulnerability which would allow anyone to download the private information of cardholders, leaving users’ bank details and identity numbers unprotected. With private details and fingerprints of several millions of Indians at hand, anyone with access to this flaw will be able open a bank account or set up a cellular SIM card in anyone else’s name.
The leak comes from Karan Saini, a New Delhi-based researcher, who identified the vulnerability’s extent to anyone registered to the national database. Once exposed, anyone with access will be able to know someone’s unique 12-digit identity number along with the services one has subscribed to, including bank details and personal information.
According to Saini, “the API’s endpoint … has no access controls in place, (and) the affected endpoint uses a hardcoded access token, which, when decoded, translates to ‘INDAADHAARSECURESTATUS,’ allowing anyone to query Aadhaar numbers against the database without any additional authentication”. He added, “An attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details”.
Reports suggest that Indian authorities failed to respond to such an incident and the vulnerabilities still remain unfixed which is the why exact details about the access to this vulnerability haven’t been published. The source of this leak comes from an unknown state-run utility firm whose unsecured API was used to gain access to the Aadhaar database, putting millions of Indians’ information at risk.
Packed with a bunch of security enabled features, the Aadhar card is India’s take on a digital ID database with biometric information and private details of close to 1.1 billion Indian citizens. Though not mandatory, not enrolling onto the database would result in users being not able to use the basic government services. Even Uber and Amazon have dug into the system for seamless identification of its customers.
It might be recalled that when queried with a slew of accusations of data breaches, the stock answer of the central authority running the aAadhaar database has been to say that the biometric data is safe, and has never been breached. Recent statements by the Tourism minister also point to a new direction of denials, where the focus might shift to denying confidentiality at all when it comes to Aadhaar numbers or linked details, with only biometric data considered confidential.
Not surprisingly, various central and state government entities have been at the forefront of the leaks, with their crumbling, ‘lowest bid’ IT infrastructure
and overall apathy to user rights and privileges.
It’s quite clear that it will take a significant, or even substantial fraud to be perpetrated before the authorities wake up to the risks.