By now, it is no secret that UIDAI is having a hard time safeguarding the Aadhaar data of citizens, and the irresponsible behavior of certain government departments in handling Aadhaar data has only aggravated the issue. But what if I told you that you can access Aadhaar card of Indians with a simple Google search? What if just about anyone – even those without any hacking skills – can access your Aadhaar details just because you had shared it with an unsecured agency? Yes, it’s possible.
As scary as it sounds, we’ve tested the glaring loophole, and were surprised to find that Aadhaar card of citizens from various states were left unsecured in search results, in the form of PDFs. Baptiste Robert aka Elliot Alderson tweeted about the ominous keyword, which opens the treasure trove of Aadhaar cards and other sensitive data. All you have to do is search this on Google: Mera Aadhaar Meri Pehchan filetype:pdf
Hi @UIDAI and @ceo_uidai, it's time for you to force your partners to handle #Aadhaar cards in a secure way.
If you make a Google search query with one of this line you will find thousand of #Aadhaar card.@UIDAI: It's time to admit that this is not OK and to work on a fix. pic.twitter.com/wHDlKevF68
— Elliot Alderson (@fs0c131y) March 16, 2018
In the search results, you’ll be greeted with a list of PDF files that contain a copy of Aadhaar card of citizens from states like Uttar Pradesh, Kerala and Karnataka among others. I opened the second and third page of Google search results and found it littered with Aadhaar cards in the form of downloadable PDF files, sans any password prompt.
In addition to Aadhaar cards, I also came across documents like passport application forms and receipts enclosed with a copy of college degree with the applicant’s Aadhaar card. Moreover, I also discovered a list of 12,127 companies based in Bihar, complete with their CIN/FCRN numbers and registration dates, openly accessible to anyone with an internet-enabled device.
Earlier this week, French cybersecurity expert Robert aka Anderson uploaded a video which showcased how the updated mAadhaar app’s security can be bypassed in less than a minute by just connecting a stolen smartphone with a PC and running a command on it. Although frightening, it required physical access to a person’s device and a little coding knowledge, but the Google search method is simply baffling. I can not even fathom what else one could discover if other search result pages are scanned after Googling the keyword.
With UIDAI unable to protect our Aadhaar data, government websites going on a data leakage spree every now and then, hospitals and other organizations mishandling/misusing the Aadhaar details of beneficiaries, there seems to be no respite. It’s high time that the government realizes the gravity of the issue and takes appropriate action, or else, Aadhaar would prove to be nothing more than an insanely expensive catastrophe.