On Thursday, UIDAI officials asserted in the Supreme Court that the biometric details of residents are not shared with anyone and it would take the fastest computer currently available “more than the life of the universe” to break its 2048-bit encryption.
But, a news website now says all it takes is money and a security researcher to break into the system. Claiming another instance of data breach, a Delhi-based security researcher says he has found a vulnerable endpoint and that anyone with an Aadhaar number is affected, reported technology news website ZDnet.
The researcher Karan Saini stated that one of the providers, whom the report didn’t name, can reportedly access the Aadhaar database through an application interface which the company relies on to verify a customer’s identity. What is worrying is that the company reportedly hasn’t put security in place for the interface and as a result it would be possible to access private data on every Aadhaar card holder, irrespective of whether they're a customer of the service provider or not, the report stated.
The affected endpoint uses a hardcoded access token, which, when decoded, translates to "INDAADHAARSECURESTATUS," allowing anyone to query Aadhaar numbers against the database without any additional authentication, said Saini.
The researcher refused to publish the url as that would compromise data of millions of Indians. They said the application interface did not have rate limiting in place. Rate limiting is a simple but useful security feature which slows down password-guessing attacks. It allows you to limit the number of HTTP requests a user can make in a given period of time.
Without rate limiting in place, an attacker can cycle through every permutation of Aadhaar numbers and obtain information each time a successful result is hit. He explained that it would be possible to enumerate Aadhaar numbers by going through various combinations, such as 1234 5678 0000 to 1234 5678 9999.
"An attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details," Saini said. And because there is no rate limiting, Saini said he could send thousands of requests each minute from a single computer alone, reported ZDnet.
Saini, reported the website, had run a handful of Aadhar numbers (from friends who gave him permission) through the application and the response included the Aadhaar holder's full name and their consumer number and it also revealed information on connected bank accounts, said Saini. This seems to contradict the disclosure by Aadhaar officials, who tweeted that the Aadhaar database does not keep bank account details.
Even the Union IT minister Ravi Shankar Prasad has stated that, “Aadhaar does not save the details of your bank account.”
Contrary to these claims, the software not only gives out date of the utility provider's customers, it also allows access to Aadhaar holders' information who have connections with other utility companies, as well, alleges the report.
ZDnet says it attempted to reach out to Indian authorities but no one responded to their repeated emails. They later contacted the Indian Consulate in New York and informed Devi Prasad Misra, the consul for trade and customs, about the issue in details. Many follow-up questions were asked, yet the security flaw was not fixed, they say.
The article states that once the data breach has been fixed, they would identity the website.
Earlier, in January, a reporter from The Tribune paid ₹500 to create a gateway through which the reporter could access all particulars that an individual may have submitted to the UIDAI and for an additional ₹300, the reporter got the software that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.