The Indian government’s ‘DigiLocker‘ online cloud service reportedly had a critical authentication flaw that could have potentially allowed hackers to access personal data of 38 million (3.8 crore) users. That’s according to cyber-security researcher, Ashish Gahlot, who says he discovered the vulnerability while analyzing its platform’s authentication mechanism.
In a detailed post on Medium, he claimed that the vulnerability allowed him to intercept the connection and bypass the authentication with just a simple script. According to him: “So we can just write a python script … and by just knowing the username we can change the password of ANY USER”.
As it turns out, the flaw allowed anyone with sufficient skills to change the PIN of someone else’s account even without a password. The flaw could also have potentially allowed malicious actors to take over user profiles by bypassing the OTP process and modifying the response using an automated script to intercept the connection between the client device and the DigiLocker server.
Thankfully, both the flaws are now said to have been fixed. Gahlot says he contacted the DigiLocker team with his findings on May 16th. While the OTP loophole was plugged just a couple of days later on May 18th, the PIN bypass vulnerability was fixed on June 1st.
The flaws in the DigiLocker system have now been fixed, but the developments still raise more questions about the security of government-run digital platforms in the country. While Aadhaar has suffered multiple security breaches since its inception, the recently open sourced COVID-19 contact tracing app, Aarogya Setu, also reportedly has severe security loopholes that might jeopardize the privacy of unsuspecting users.