Any Indian DigiLocker Account Could've Been Accessed Without Password

2020-06-08 08:45

According to Mohan, all an attacker needs to know is either victim's Aadhaar ID or linked mobile number or username to unauthorizedly access a targeted Digilocker account, prompting the service to send an OTP and subsequently exploiting the flaw to bypass the sign-in process.

It's worth noting that the mobile app version of Digilocker also comes with a 4-digit PIN for an added layer of security.

The researchers said it was possible to modify the API calls to authenticate the PIN by associating the PIN to another user and successfully login in as the victim.

What's more, the lack of authorization for the API endpoint used to set the secret PIN effectively implies the API can be exploited to reset the PIN linked to a random user using the individual's UUID. "There is no session-related information on the POST request, so it's not bound to any user," Mohan added.

After the flaw was reported to CERT-In on May 10 by Mohan and to DigiLocker on 16th May by Ashish, the cyber agency said the issue was fixed on May 28.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/yq3umHV9zuM/aadhar-digilocker-hacked.html

#indian