Indian Government Portal Exposes Residents’ Aadhaar Details and Fingerprints
An independent digital security researcher has unveiled a glitch within the governmental website of West Bengal, India. This flaw allowed any inquisitive individual unfettered access to confidential identification papers of local inhabitants, amongst a plethora of other personal data.
Researcher Saurajit Majumder identified this lapse on the e-District portal, a platform enabling state residents to procure online government services, including birth and death certificates, among other attestations.
Majumder articulated that due to this oversight, one could obtain land documents, which detail the records of land proprietors, merely by surmising the sequential numbers of applications for these papers.
Upon gaining access to the application’s identification number, any user with an account on the e-District system could retrieve a copy of the property rights document. Data thus procured encompassed the names of individuals associated with the document, their photographs, and even a comprehensive set of fingerprints from both hands.
Furthermore, these documents enumerated state identification papers, inclusive of the confidential AADHAAR numbers, integral to India’s national identification and biometry database. These numbers are imperative for accessing banking services, mobile connectivity, and numerous governmental amenities.
Majumder apprised India’s Computer Emergency Response Team, known as CERT-In, as well as the West Bengal government of this vulnerability. Given its gravity, the flaw was promptly rectified.
It remains uncertain if anyone besides Majumder detected this glitch. Representatives from the West Bengal government and CERT-In refrained from commenting upon inquiries. The e-District site declares that it has processed over 17 million applications to date, though it remains ambiguous as to how many pertain to property rights documents.
Local media, in recent months, also reported a surge in fraud associated with an alleged theft of biometric information, which culprits subsequently exploit to deplete citizens’ bank accounts.
Via: TechCrunch