Another day and another Aadhaar leak has sent digital security experts up against the Unique Identification Authority of India (UIDAI). This time the Aadhaar leak happened from the website and app of state-owned gas company Indane, exposing various details of an estimated 67.9 lakh of its nine crore customers.
Lack of authentication in Indane's local dealers' portal has led to exposure of details of 11,062 dealers, including the names, addresses and the Aadhaar numbers of their customers.
The leak reportedly happened after Indane exposed a part of its website for dealers and distributors, "even though it is only supposed to be accessible with a valid username and password". "A part of the site was indexed in Google, allowing anyone to bypass the login page altogether and gain unfettered access to the dealer database," reported online publisher TechCrunch. In short, anybody was able to access the dealers details without a username and password.
It’s time to publish the details of the biggest #DataLeak I had to deal with. @IndianOilcl leaked #Aadhaar numbers: 6,700,000 Aadhaar numbers https://t.co/QJaDZlOBcR
— Elliot Alderson (@fs0c131y) February 19, 2019
The latest Aadhaar leak was first exposed by an anonymous digital security activist who goes by the Twitter name Elliot Alderson (fs0c131y). In a post on blogging site Medium, Alderson says that he was tipped off about the security leak by a user on Twitter. "There is “Aadhaar” and “leak” in the same sentence, this guy managed to get my interest," reads the blogpost.
Alderson claims that he was able to access the consumer information of a few dealers, first on its website. On further investigation in Indane Android app, Alderson was able to interfere with the 'Locate Your Distributor' feature and more details leaked out. He adds that he was able to access "a total of 58,26,116 Indane customers' details". However, Alderson estimates that a total of 67,91,200 customers might be affected by the expose through the Indane website and app.
A screenshot showing the unauthenticated access to Indane’s dealer portal, which included sensitive information on millions of Indian citizens. This was one dealer who had 4,034 customers | Image courtesy: TechCrunch
Meanwhile, Indane's parent company Indian Oil Corporation has categorically denied the Aadhaar data leak through the website.
There is no leak of #Aadhaar data through #Indane website pic.twitter.com/sHje42Ba5e
— Indian Oil Corp Ltd (@IndianOilcl) February 19, 2019
The Indane leak is the latest security lapse involving Aadhaar data. The Aadhaar data exposure from Indane has reignited fresh concerns regarding Aadhaar's security in India.
also read
- Why did EPFO remove Aadhaar as proof for date of birth? Here's list of valid documents
- Deadline to update Aadhaar extended till March 14: How to avail free service online?
- Govt eases Aadhaar rules, parents or spouse can now update details of dependents
- Names of people who don't link Aadhaar with election card won't be struck off voters' list
However, the report by TechCrunch claims otherwise. "We verified a sample of Aadhaar numbers from the site using UIDAI’s own web-based verification tool. Each record came back as a positive match," the TechCrunch reported.
In the past, too, Alderson has exposed a number of security issues related to Aadhaar. He defines himelf as a French security researcher and the "worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, Donald Daters and others".
