The Indian authorities ‘ DigiLocker’s online cloud service reportedly had a critical authentication flaw. This could have potentially allowed hackers to access personal data of 38 million (3.8 crores) users. That’s based on the cyber-security researcher, Ashish Gahlot, who says he found the vulnerability while analyzing its platform’s authentication mechanism.
In a detailed put up on Medium, he claimed that the vulnerability allowed him to intercept the connection and bypass the authentication with only an easy script. According to him: “So we can just write a python script … and by just knowing the username we can change the password of ANY USER”.
As it seems, the flaw allowed anybody with enough expertise to alter the PIN of another person’s account even with no password. The flaw might even have probably allowed malicious actors to take over person profiles. By bypassing the OTP course of and modifying the response utilizing an automated script to intercept the connection.
Thankfully, each of the failings is actually mentioned to have been fastened. Gahlot says he contacted the DigiLocker staff along with his findings on May 16th. While the OTP loophole was plugged simply a few days in a while May 18th, the PIN bypass vulnerability was fastened on June 1st.
The flaws within the DigiLocker system have now been fixed. Now the developments nonetheless elevate extra questions in regards to the safety of government-run digital platforms within the nation. While Aadhaar has suffered a number of security breaches since its inception. The recently open-sourced COVID-19 contact tracing app, Aarogya Setu, also reportedly has severe security loopholes that may jeopardize the privateness of unsuspecting users.