French security researcher: 20,000 Aadhaar cards available online
According to medianama, French security researcher Baptiste Robert (@fs0c131y) announced through a tweet on Sunday that he found electronic pictures of 20,000 Aadhaar cards on the Indian government and non-governmental agency websites. PDF or jpeg format, and the whole process took only about 3 hours.
25 + 18365 + 4 + 7 + 516 + 716 + 16 + 12 + 4 + 200 + 277 = 20142 #Aadhaar cards found
— Elliot Alderson (@fs0c131y) March 10, 2018
Aadhaar currently has the world’s largest biometric database and has collected more than one billion Indian citizens’ iris scans and fingerprints. Prior to this, many security experts and media have questioned the security and privacy of the Aadhaar system. Because of the amount of data it stores, as well as its sensitivity, it does not tolerate any “flash”.
A few hours after Robert issued a tweet, the Unique Identification Authority of India (UIDAI) responded and sent nearly 11 tweets on the matter.
UIDAI reiterated that Aadhaar is still “safe and reliable,” and stated that “in the past eight years, its biometric database has not leaked anything.”
UIDAI rejected the reports on security breaches as “irresponsible” and “away from the truth,” and called Aadhaar “the most credible identity card.” In addition, UIDAI also stressed that the Aadhaar card is just an identity document that people can share openly with others when they need it, and should not be considered confidential.
Publication of Aadhaar cards by some people have absolutely no bearing on UIDAI and not the least on Aadhaar security. Aadhaar as an identity document by its very nature needs to be shared openly with others as and when required and asked for. 3/n
— Aadhaar (@UIDAI) March 11, 2018
The UIDAI statement does not seem to have been endorsed by Robert. He wrote in a further reply to UIDAI’s tweet:
If it is really a reaction to my tweets, this is really a bad signal. Instead of making disinformation @UIDAI, please discuss with me. Your threats are useless and I will continue my work. So please stop denying and let’s fix things together. https://t.co/KRHcsOK6ZI
— Elliot Alderson (@fs0c131y) March 11, 2018
It is worth noting that in the past few months, Robert has already reported on security flaws in several Indian government agency websites, including Indian state-owned telecom operator Bharat Sanchar Nigam Limited (BSNL) and Indian Space Research Organisation. , ISRO) website.