ZDNet, a business and technology website has reported a new and serious security breach of the Aadhaar database. The data leak associated with an incorrectly secured API endpoint used to authenticate Aadhaar numbers by a state-owned utility, allows a malicious hacker to access private information on all Aadhaar numbers including, bank linked with Aadhaar and what services the Aadhaar number has been linked to.

The breach was identified over a month ago by Karan Saini, a New Delhi-based security researcher. ZDNet attempted to contact UIDAI for reporting the vulnerability on email, phone and even Twitter but received no response. They then contacted the Indian Consulate in New York and after providing extensive information on the nature of the breach, still saw no action to secure it. They informed the consul that they could be publishing the story on Friday and requested a comment from the Indian government, but received no reply for their last email. They published as notified, but there has been no action on the part of the UIDAI to secure the breach even after it has been reported.

How much information is leaked is unclear from the article (possibly for security reasons), but the article mentions:

“A data leak on a system run by a state-owned utility company can allow anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information.”

As well as:

“When Saini ran a handful of Aadhaar numbers (from friends who gave him permission) through the endpoint, the server’s response included the Aadhaar holder’s full name and their consumer number — a unique customer number used by that utility provider. The response also reveals information on connected bank accounts, said Saini. Screenshots seen by ZDNet reveal details about which bank that person uses — though, no other banking information was returned.”

Whether the complete demographic data is returned is not known, nor is it known whether information on other services or details of bank account are revealed.

As of now, they have withheld crucial information about the security breach, including the names of the utility provider and the Aadhaar API endpoint, as the breach is still live.

The nature of the breach has unnerving similarities to the vulnerabilities Elliot Alderson (pseudonym) reported about the mAadhaar app (he had called that a “school project” in terms of quality of coding). This vulnerability too has very similar problems. Incorrectly secured access, hardcoded access token which, when decoded reads “INDAADHAARSECURESTATUS,” (Remember the hardcoded string “123456789” and infamous salt from Alderson’s exposes – “BeTtyBoTterHAdSoMeBiTTerButTeR-@”?). Any person who has the access token can query the Aadhaar database.

There is no rate limiting in place – a concern Alderson had brought up about the mAadhaar app as well as other security researchers had brought up about the Tribune data breach report, which too could potentially replicate the entire database by simply manipulating the url and scraping data. This potentially allows a malicious hacker to cycle through all possible Aadhaar numbers (trillions) and download details of the numbers for which Aadhaar is present. (MediaNama note: Something like this can be done using a pretty basic scraper script that cycles through numbers and enters responses into a database, allowing the complete Aadhaar demographic database to be replicated by third parties)

When Saini ran a handful of Aadhaar numbers (from friends who gave him permission) through the endpoint, the server’s response included the Aadhaar holder’s full name and their consumer number — a unique customer number used by that utility provider. The response also reveals information on connected bank accounts, said Saini. Screenshots seen by ZDNet reveal details about which bank that person uses — though, no other banking information was returned.

This is similar to the information available by entering “*99*99*1#” from your mobile phone followed by any Aadhaar number to get the information on which bank the Aadhaar is linked to. This is apparently a feature and not bug. The UIDAI does not consider this to be sensitive information about a person – thought it can easily be used for phishing.

As ZDNet points out, this directly contradicts repeated claims by the UIDAI on social media as well as in the Supreme Court that the Aadhaar database does not store any information about bank accounts or other details.

Read the full story on ZDNet.

Update: UIDAI denies security breach

Predictably, the UIDAI has denied that there is a security breach, as per the news service ANI. “UIDAI refuted reports in sections of media sourced from news website which quoted a man purportedly claiming to be a security researcher that a state-owned utility company has vulnerability which can be used to access a huge amount of Aadhaar data including banking details. There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure.”

MediaNama’s take

Whether through this security issue or others not yet known, but the likelihood of the Aadhaar database being replicated by malicious hackers for misuse or sale on the black market is undeniable. At this point, we don’t even consider it a risk so much as near guarantee. This is further borne out by Dr. Ajay Pandey, CEO of UIDAI’s statement in the Supreme Court that there are more than 4 crore successful authentications per day! Unless every thirtieth person with an Aadhaar authenticates them daily (not counting the extensive reports of failures, aadhaars of infants and children, dead people, undeliverable aadhaars and so on), this number is suspicious and indicates at least some bulk authentication activity, which the UIDAI should have been able to catch and identify given their claims of audit trails. However, a few malicious scripts scraping the database would explain that number easily.

Prima facie, this security breach appears to return less data than the Tribune breach that returned full demographic profile. It is not known whether the API can be used to access more information.

This also highlights repeated concerns raised about a lack of a proper security issue reporting system for this sensitive a project. Not just are there no proper bug reporting channels direct to developers, official emails and phone numbers are not attended to promptly for security issues either. Twitter DMs is hardly an appropriate method of reporting sensitive data. The UIDAI’s inappropriate use of Twitter DMs has also been highlighted at other times, when people are encouraged to message their Aadhaar details to the UIDAI if they have issues. Twitter DMs are not separate and the account is often accessed from an mobile phone, meaning that the sensitive data then gets accessed from yet another platform with a large number of spywares and malwares available for it. Recent posts by those using the Facebook app on their phone showed that Facebook had a record of all the phone calls people had made in the last year – without using the Facebook app or having any connection to Facebook whatsoever. arelessly applied permissions allow considerable levels of snooping on a phone. Several Aadhaar apps themselves have extremely dangerous levels of permissions requested from a security perspective.

Repeated security issues revealing poor coding standards is a serious issue. Aadhaar code is not available in the public domain, though various people have claimed at various times that it is open-source. What little we discover from the code comes from such reports and so far, we have seen very elementary and serious issues plaguing the project that secures the sensitive information of an entire country including uncontrolled access to the database by creation of accounts by unauthorized people (as seen in the Tribune Data Breach story), lack of knowledge or lack of seriousness about secure coding practices like adequate randomization, hardcoded strings making it really easy for malicious hackers to access information, lack of rate limiting allowing someone with unauthorized access, unlimited access as well, and so on.