By now, nobody should be surprised about Aadhaar data breaches, but an exclusive report from ZDNet says the privacy and security of every single Aadhaar card holder in India is potentially under threat. The major security lapse is the latest to affect the controversial ID database that has been proven time and again to be prone to one major security flaw after another.

According to the latest report on the nightmarish state of Aadhaar security, Karan Saini, a New Delhi-based cyber-security researcher has seemingly discovered a vulnerability that can allow anyone to access private information on all Aadhaar holders, exposing their names, unique 12-digit ID numbers, information about their bank details, the services they are connected to, and more. Clearly, the 13-foot walls didn’t work.

 

The source of the data leak is reportedly an unnamed state-run utility company, which uses an unsecured API to access the Aadhaar database, jeopardizing the privacy and security of not just its own customers, but potentially all 1.1 billion Aadhaar holders in the country.

According to Saini, “the API’s endpoint … has no access controls in place, (and) the affected endpoint uses a hardcoded access token, which, when decoded, translates to “INDAADHAARSECURESTATUS,” allowing anyone to query Aadhaar numbers against the database without any additional authentication”.

The API doesn’t have any rate limiting in place, allowing an attacker to cycle through every permutation — potentially trillions — of Aadhaar numbers and obtain information each time a successful result is hit

The blog claims to have contacted the Indian Consulate in New York to discuss the revelations of Saini, and got in touch with the consul for trade and customs, Devi Prasad Misra. However, in spite of answering several follow-up questions over the next couple of weeks, the vulnerability was still not fixed.

Finally at the start of this week, ZDNet says it informed Mishra that the story would be published on Friday (March 24th), but never heard back from the Indian authorities after that. According to the blog, the issue still persists, which is why it didn’t publish the exact details about the vulnerabilities, including the name of the state-run utility, and the URL of the vulnerable API endpoint.