According to an independent security researcher, a vulnerability in Jio’s JioWallet app said to have exposed personal data of the users. The Aadhaar numbers were exposed along with details like date of birth, when did they verify SIM card and their JioMoney account MPIN.
C.S. Akshay who is an independent security researcher started digging the JioMoney code when the service’s customer support was unable to resolve a grievance. In a Tweet, Akshay said: “Absolutely irritated, I messed with Jio Money with [which] the issue resided and boom, a vulnerability was discovered.” However, he deleted the Tweet on the subject after getting a call from Jio.
Though Jio never publicly announced how many users are enrolled on JioMoney, the company encourages all its subscribers to download the entire Jio suite of apps, which includes JioMoney. Jio on the other runs its own payments bank, it has also partnered with many companies including insurance. It also has partnerships with Uber, Sodexo, Snapdeal and Dominos Pizza.
It’s unclear if this incident has reached to RBI yet. Interestingly, this isn’t the first time Jio has had a vulnerability in its app ecosystem. Back in 2017, Imran Chhimpa figured out a way to auto-fetch Jio users’ details from their phone numbers with a login to a Jio app used by retailers.
In a response the vulnerability, Jio said:
We have come across an unverified and unsubstantiated claim of personal data of JioMoney users being exposed. We confirm that there is no such issue in JioMoney. Prima facie, the claims appear to be mischievous attempts to malign our services. We assure our users that their data is safe and maintained with highest security.
Even though the company has denied it in a statement, on Twitter, the company is responding to users that it has forwarded the concern to its security team and they are looking into it.