On February 10, I received a very interesting private message on Twitter.

There is “Aadhaar” and “leak” in the same sentence, this guy managed to get my interest. After a few messages, he sent me a url.

This page contains a lot of juicy information:

- The hyperlink associated to the “Consumer No” contains a parameter called “aadhar_no”

- The “Consumer Name”

- The “Consumer Address”

- On the bottom right we have the “Total Records”

- In the url, there is a parameter called dealerID

So due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers. But how big is this leak?

This is the dealer portal, so if we modify the value of the dealerID parameter, we can access the consumer infos of another dealer. So, to get the size of this leak we need to get the ids of the Indane dealers.

According to Wikipedia, Indane serves more than 90 million famillies through a network of 9100 distributors. Wow, we have a story here, I definitely need to investigate more.

Oh, they have an Android app, it can be interesting to look at it too.