Aadhaar system security flaw: Every Indian citizen's private details at high risk

Aadhaar, the government database for citizen IDs has fingerprints, iris scans and a lot of other personal information linked to every number. With the government forcing Indians to link every record, be it your bank accounts or your mobile number, an Aadhaar ID leak can put the user at a major privacy risk.

According to an exclusive report by Zero Day security researcher Zack Whittaker (via ZDNet), every Indian citizen who has subscribed to Aadhaar has been leaked. According to the report, Zack says that the national ID database has been hit by yet another major security lapse. Though Aadhaar is not completely mandatory, not linking it makes users unable to access basic to major government services. The report states that even companies such as Amazon and Uber can easily tap into an Aadhaar database to identify their customers.

According a report by The Tribune in January, a security lapse caused a major leak into the Aadhaar system that could give billions of Aadhaar details in less than 10 minutes and for just Rs 500. A similar report by Washington Post in January again stated that a billion people are at risk of identity theft due to a security breach in the Aadhaar system. But this time, a security researcher confirmed to ZDNet that the a flaw in the Aadhaar database system is still leaking every Aadhaar card’s details. The data leak on a system run by a state-owned utility company can allow anyone to download all private information from all Aadhaar holders, thus exposing their names, unique ID numbers, all the services attached including bank details, and a lot more information, said the report. The report further states that Saini disclosed that the API’s URL has no access controls in place.

“The affected endpoint uses a hardcoded access token, which, when decoded, translates to "INDAADHAARSECURESTATUS," allowing anyone to query Aadhaar numbers against the database without any additional authentication. Saini also found that the API doesn't have any rate limiting in place, allowing an attacker to cycle through every permutation -- potentially trillions -- of Aadhaar numbers and obtain information each time a successful result is hit. He explained that it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999. "An attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details," he said. And because there is no rate limiting, Saini said he could send thousands of requests each minute -- just from one computer,” the ZDNet report claims.

"From the requests that were sent to check for a rate limiting issue and determine the possibility of stumbling across valid Aadhaar numbers, I have found that this information is not retrieved from a static database or a one-off data grab, but is clearly being updated -- from as early as 2014 to mid 2017," Saini told ZDNet. "I cannot speculate whether it is UIDAI that is providing this information to [the utility provider], or if the banks or gas companies are, but it seems that everyone's information is available, with no authentication -- no rate limit, nothing." While the Aadhaar case (on making it mandatory) is still with the court, those who have not yet registered are safe. However, the millions who have already registered with UDAI are presently at a very high risk.