Business
Indian state government fixes website bug that revealed Aadhaar numbers and fingerprints
A security researcher says a bug on an Indian state government website inadvertently revealed documents containing residents’ Aadhaar numbers, identity cards, and copies of their fingerprints.
The bug was fixed last week after the security researcher disclosed the bug to local authorities.
Sourajeet Majumder found the bug in the West Bengal government’s e-District web portal that allows state residents to access government services online, like obtaining birth and death certificates and building applications. Majumder said the website bug meant it was possible to obtain land deeds, which contain records about the owners of a piece of land, from the e-District website by guessing sequential deed application numbers.
Application identification numbers are unique 16-digit numbers issued by the state government when a local resident applies for a digital copy of a deed.
Not every application identification number was valid. Using publicly available tools like Burp Suite to analyze the network traffic in and out of the website meant that Majumder could cycle through entire lists of sequential application numbers and use the responses from the server to determine if an application identification number was valid.
With access to an application identification number, anyone with a login to the e-District system could access a copy of a land deed. Two land deed records seen by TechCrunch contain the names of the individuals involved with the deed, their photographs, and their full set of fingerprints from both hands. It’s not uncommon to see multiple individuals on a single deed.
The deeds also contain the individuals’ government-issued identity documents, including their confidential Aadhaar numbers, which every citizen is assigned as part of India’s national identity and biometric database. Aadhaar numbers are required for accessing banking, cell phone plans, and many government services.
Majumder reported the website vulnerability to India’s computer emergency response team, known as CERT-In, and the West Bengal government, fearing that the vulnerability could be misused for identity fraud. The bug was fixed soon after.
It’s not known if anyone else other than Majumder discovered the bug. Representatives for the West Bengal government and CERT-In did not return requests for comment. The West Bengal government’s e-District website says it has processed more than 17 million applications to date, though it’s not known how many relate to land deeds.
Local media reports a recent rise in fraud linked to the alleged theft of biometric information, which criminals are said to be using to empty bank accounts.
-
Entertainment7 days ago
Summer Movie Preview: From ‘Alien’ and ‘Furiosa’ to ‘Deadpool and Wolverine’
-
Entertainment6 days ago
What’s on the far side of the moon? Not darkness.
-
Business7 days ago
Thoma Bravo to take UK cybersecurity company Darktrace private in $5B deal
-
Business6 days ago
How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
-
Business6 days ago
TikTok faces a ban in the US, Tesla profits drop and healthcare data leaks
-
Business5 days ago
London’s first defense tech hackathon brings Ukraine war closer to the city’s startups
-
Business6 days ago
Photo-sharing community EyeEm will license users’ photos to train AI if they don’t delete them
-
Entertainment7 days ago
‘Challengers’ review: You’re not ready for Zendaya’s horny love-triangle drama