A new report states that a major lapse in API security can leak all Aadhaar details.
Aadhaar, the government database for citizen IDs has fingerprints, iris scans and a lot of other personal information linked to every number. With the government forcing Indians to link every record, be it your bank accounts or your mobile number, an Aadhaar ID leak can put the user at a major privacy risk.
According to an exclusive report by Zero Day security researcher Zack Whittaker (via ZDNet), every Indian citizen who has subscribed to Aadhaar has been leaked. According to the report, Zack says that the national ID database has been hit by yet another major security lapse. Though Aadhaar is not completely mandatory, not linking it makes users unable to access basic to major government services.
The report states that even companies such as Amazon and Uber can easily tap into an Aadhaar database to identify their customers.
According a report by The Tribune in January, a security lapse caused a major leak into the Aadhaar system that could give billions of Aadhaar details in less than 10 minutes and for just Rs 500. A similar report by Washington Post in January again stated that a billion people are at risk of identity theft due to a security breach in the Aadhaar system.
But this time, a security researcher confirmed to ZDNet that the a flaw in the Aadhaar database system is still leaking every Aadhaar card’s details.
The data leak on a system run by a state-owned utility company can allow anyone to download all private information from all Aadhaar holders, thus exposing their names, unique ID numbers, all the services attached including bank details, and a lot more information, said the report.
Karan Saini, a New Delhi-based security researcher who found the vulnerable endpoint, told ZDNet that anyone with an Aadhaar number is affected. ZDNet claims that the Indian authorities have done nothing to fix the flaw and have not responded to any of their repeated emails since months of the findings.
ZDNet later contacted the Indian Consulate in New York and alerted the Consul for trade and customs Mr Devi Prasad Misra. They explained the entire issue in detail and followed up with questions asked, for more than a week, but the issue was still not addressed.
ZDNet went ahead to publish their report, but have refrained to give out details about the vulnerability until it is fixed by the Indian government. They shall publish a complete detailed report post the vulnerability is fixed.
Their report stated that a utility provider (which they have kept anonymous) has access to the entire Aadhaar databse through an API. The API is used by companied to check the status and verify an Aadhaar holder’s identity. However, they claim that the API is not secured — the entire Indian citizens’ database can be accessed by them regardless of whether they are a customer to the utility provider or not.
The report further states that Saini disclosed that the API’s URL has no access controls in place.
“The affected endpoint uses a hardcoded access token, which, when decoded, translates to "INDAADHAARSECURESTATUS," allowing anyone to query Aadhaar numbers against the database without any additional authentication. Saini also found that the API doesn't have any rate limiting in place, allowing an attacker to cycle through every permutation -- potentially trillions -- of Aadhaar numbers and obtain information each time a successful result is hit. He explained that it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999. "An attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details," he said. And because there is no rate limiting, Saini said he could send thousands of requests each minute -- just from one computer,” the ZDNet report claims.
The researcher ran (with permission) a few Aadhaar numbers of his friends, and the database returned all information about them.
Screenshots seen by ZDNet reveal details about which bank that person uses.
However, ZDNet also points out a contradictory tweet from the Indian IT Minister Ravi Shankar Prasad that states the Aadhaar system does not save details of bank accounts.
The endpoint does not pull data in the utility provider’s customer, but allows access to the Aadhaar details of those who have connections with other utility companies too.
"From the requests that were sent to check for a rate limiting issue and determine the possibility of stumbling across valid Aadhaar numbers, I have found that this information is not retrieved from a static database or a one-off data grab, but is clearly being updated -- from as early as 2014 to mid 2017," Saini told ZDNet. "I cannot speculate whether it is UIDAI that is providing this information to [the utility provider], or if the banks or gas companies are, but it seems that everyone's information is available, with no authentication -- no rate limit, nothing."
While the Aadhaar case (on making it mandatory) is still with the court, those who have not yet registered are safe. However, the millions who have already registered with UIDAI are presently at a very high risk.
Disclaimer: This report is from ZDNet. We are closely following up with the report and shall keep this article updated with any new information that is released. Stay tuned.