India is slowly heading towards being a digital-first country, and while we may have made progress in some initiatives, cybersecurity remains a weak point when it comes to digitizing India.
It was previously reported how hundreds of govt. websites may have leaked the citizen’s Aadhar card’s data. Now, another issue that has come up is the fact that the details of practically every person in India with a voter ID are publicly available.
As first discovered by Baptiste Robert aka Elliot Anderson, a French security researcher, the voter lists in India have been made public for anyone to view. The Election Commissions of various states have released PDFs and other documents containing information about the voter’s name, father’s name, age, sex, address, and the voter ID.
In #India, the voter lists are public. Election commissions release pdfs with name, father's name, age, sex, address, voter id. Due to "poor" security practices by @CeodelhiOffice, it's possible to gather all the Delhi voters data in one database. pic.twitter.com/c7DV2wMqh7
— Elliot Alderson (@fs0c131y) February 11, 2018
Having personally checked this, we can confirm that the above claim is indeed true. For instance, if you head over to Uttar Pradesh’s State Election Commission website, you’ll be required to enter a few details about the constituency for which you’re trying to get the voter data. And with no authorization, you will be given access to a PDF file that contains the data of all the voters in that specific region. Same is the case with Maharashtra and other states’ Election Commission websites as well.
Further, Robert explains that the process is a little different when it comes to the state of Delhi. While the data cannot be viewed in bulk, it is still public. As shown by the video in his tweet, he was able to obtain the voter ID details dump by running a script.
On being DM’ed on Twitter, Robert told Beebom he created an Android application which brute forces all the possible voter ID. A voter ID is made up of a 3 letter prefix, followed by a 7 digit number.
A voter ID is a 3 letter prefix + 7 digits number. Thanks to a non-protected endpoint you can try all the possible combinations and it will return all the records found.
You can also try this for yourself by heading over to Delhi’s Election Commission website. All you have to do is simply enter a random voter ID in the aforementioned format, enter the captcha code, and you can view the details of the person to whom that ID corresponds to. Alternatively, if you know someone’s personal details, such as name and father/mother/spouse’s name, you can enter them here and get details about their address and more.
As such, we feel this is a serious issue that needs to be sorted. Making personal details such as one’s address available online is a breach of privacy, something that is certainly not ethical. The States’ Election Commissions have basically given everyone the power to access anyone’s personal data, as is evident from one of the replies to Robert’s tweet.
Unfortunately, there’s nothing you can do about it. We urge the Election Commissions to take adequate steps regarding this, enforcing necessary security measures to protect the citizen’s private details from the public eye.
Tell us what you think of it, and what measures should the government take regarding this matter in the comments down below.