Aadhaar is India’s national identity for individuals, and it contains private data of users like identity and biometric information. For many wrong reasons, of lately, Aadhaar is making the news mostly because of its lack of proper security and protection. With fingerprints and private information at hand, anyone with access can get an open a bank account, buy a cellular SIM card, etc.
Enrolling in the database has become mandatory considering that it is must to access even basic government services. Now, according to a latest report from ZDNet, the database is leaking information on every Aadhaar holder. This data leak which is run by the state-owned utility company can allow anyone to download private information on all Aadhaar holders, including their names, unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information.
Karan Saini, a New Delhi-based security researcher, is the brain behind in discovering the vulnerability said that anyone with an Aadhaar number is affected. ZDNet on the other hand claim that they have tried to contact the authorities and have even contacted Indian Consulate in New York and alerted Devi Prasad Misra and tried to explain the issue in detail, yet nothing has been fixed yet.
With the intentions of the vulnerability information falling into the wrong hands, ZDNet hasn’t published the specific details about the vulnerability until it’s fixed. The utility provider currently has access to the Aadhaar database through an API which the companies rely on to checking customer’s status and verify their identity.
Saini also found that the API doesn’t have any limiting in place, allowing an attacker to cycle through every permutation potentially trillions of Aadhaar numbers and obtain information each time a successful result is hit. He further added it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999 which then can be used to find their corresponding details.
However, Unique Identification Authority (UIDAI) that administers the Aadhaar database said: “Aadhaar database does not keep any information about bank accounts.” In any way, access to Aadhaar numbers increases the risk of identity theft or could lead to impersonation.