Science & Tech

UIDAI calls latest report of Aadhaar data leak false

Latest data leak will allow hackers access to names, Aadhaar numbers and bank details amongst other personal information

Merely days after the central government defended Aaadhar, India's biometric ID programme with '13-feet high, 5-feet thick walls', it seems that the system still has many a flaws to fix. Karan Saini, a New Delhi-based security researcher has found out that the Aadhaar database has been leaking information on every Aadhaar holder. What this means is that not only are your address and phone number vulnerable this time, but everything linked to it—even your bank account details are at a major risk!

According to a report by ZDNet, a data leak on a system, run by a state-owned utility company Indane, can allow anyone to download private information on all Aadhaar holders. The leak allows easy access to Aadhaar numbers, names, personal details and bank account details of any citizen with an Aadhaar card.

final-udiai

Indane, a Liquefied Petroleum Gas (LPG) brand has access to the Aadhaar database through an Application Programming Interface (API). Though the company uses it to verify a customer's identity, there isn't any form of security on the interface. This means that anyone with access to the interface can access data of every Aadhaar card holder, irrespective of whether they are Indane users or not—and all of this can happen within minutes! What's even more shocking is that Saini found out that there's no rate limiting in place. This will allow hackers to enter endless combinations of Aadhaar numbers from just one computer on the API every minute with details being revealed every time a valid Aadhaar number is entered. "An attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details," Saini told ZDNet.

The publication claims to have been trying to contact UIDAI for over a month in order to report the vulnerability but never got any response. ZDNet then went on to contact the Indian Consulate in New York which also did not take any concrete steps with the vulnerability still being present. However, within hours of the story getting published, the affected endpoint was pulled offline.

aam

On the other hand, the Unique Identification Authority of India (UIDAI) continues to be living in its own bubble of sorts. The organisation took to its official

We refute the reports in a certain section of media sourced from ZDNet which quote a person purportedly claiming to be a security researcher that a state-owned utility company has vulnerability which can be used to access huge amount of Aadhaar data including banking details. 1/8

— Aadhaar (@UIDAI) March 24, 2018


" target="_blank" rel="nofollow">Twitter account to defend the Aadhaar system, calling it completely safe and ZDNet's reporting as 'false and irresponsible'. "Even if this claim is taken as true, it would raise security concerns on database of that utility company and has nothing to do with security of UIDAI's Aadhaar database. If one goes by the logic of ZDNet's story,  since the utility company's database also had bank account numbers of its customers, so would that mean that all Indian banks' databases have been breached? The answer would obviously be in negative," a part of UIDAI's tweet reads.

Zack Whittaker from ZDNet tweeted out an image of the leaked records, saying that he stood by his story despite UIDAI denying the leaks.

Aadhaar and controversies seem to be going hand in hand of late. On one hand, the system continues to be hit with data leaks and data trade scandals every other day. Meanwhile, the UIDAI has continued to refute security concerns all along with a top executive recently claiming that “It would take more than the age of the universe for the fastest computer on earth, or any supercomputer, to break one key of Aadhaar encryption.” Well, it seams that for now, all it takes right now is any ordinary computer and an API to put millions of identities at risk.

Facebook Conversation

FIND US ON FACEBOOK

YOU MAY ALSO LIKE

Get the viral stories straight right in your mail box

BEST SELLERS ON KILLERFEATURES

Xiaomi Mi Max 2
Xiaomi Mi Max 2 15,499
Buy From
Paytmmall
Oppo F5
Oppo F5 14,251
Buy From
Paytmmall
Moto G5S Plus
Moto G5S Plus 12,639
Buy From
Paytmmall
Vivo V7 Plus
Vivo V7 Plus 16,331
Buy From
Tatacliq
Lenovo K8 Note
Lenovo K8 Note 11,802
Buy From
Tatacliq
COMPARE (0)