DigiLocker is popularly used for storing personal documents like driving license, vehicle registration certificate and even marksheets. This is an authenticated platform which is recognised by the country’s transport Ministry. With more than 1 crore downloads on Android, it has become a useful tool in the palm of user’s hands. And recently, a researcher found some nagging issues with the app, because of which he was able to access data of millions of users registered on it. He wrote down the findings in this post.
Ashish Gehlot was fiddling around with the app, and wanted to see if its security measures are foolproof. For this, he used Aadhaar details of one of his family member, and tried to login using the details shared. But instead of doing it the regular way, he decided to bypass the two-factor authentication process, which includes OTP and login PIN code.
Being a techie, he managed to observe the login bypass process in the backend, and realised that after making some changes in the code available to him, the researcher could access/login to account of millions of users signed up on the digital document wallet. This made it obvious that anyone with sufficient technical skills can easily break through the platform and its supposed vulnerability.
As this raised the alarm bells for Gehlot, he reached out to DigiLocker team on 16 May, and thankfully the company managed to fix the PIN issue on 18 May and few weeks after that they’ve also fixed the vulnerability with the OTP bypass.
On 2 June, after fixing the issues, DigiLocker publicly confirmed the situation and said, “upon analysis, it was discovered this vulnerability had crept in the code when some new features were added recently. The vulnerability was patched on a priority basis by the technical team within a day of getting the alert from CERT-In.”
It also assured that no data was compromised because of this security flaw. DigiLocker caters to over 3.84 crore users and with confidential documents stored on the platform, it’s advisable they regularly look at any possible issues and let third-party researchers offer bug reports.