B’luru Hacker Piggybacked on Govt Server to Access Aadhaar Data
A senior officer said that data servers of the UIDAI were not compromised, but Abhinav Srivastava’s mobile app had managed to illegally gain information by impersonating a government server. 
A senior officer said that data servers of the UIDAI were not compromised, but Abhinav Srivastava’s mobile app had managed to illegally gain information by impersonating a government server.  (Photo: iStock)

B’luru Hacker Piggybacked on Govt Server to Access Aadhaar Data

Days after an IIT Kharagpur graduate was arrested in Bengaluru for stealing Aadhaar data, the city's cyber crime police have revealed how the software engineer managed to illegally access data of thousands.

31-year-old Abhinav Srivastava, who had created an eKYC verification mobile application, allegedly accessed Aadhaar data by illegally impersonating a government server. The police say that he hacked into an e-hospital server to use it as a channel to get Aadhaar information for his mobile application.

Also Read: B’luru Police Arrests IIT Grad for Hacking UIDAI Data with App

But what’s worrying is that the Unique Identification Authority of India (UIDAI) easily provided data of thousands of persons under the impression that it was being sent to an authorised government server.

Bengaluru police say that the IIT-graduate had exploited weak security protocols of the e-hospital system, a government server, for easy access UIDAI data. A senior officer, however, added that data servers of the UIDAI were not compromised.

Abhinav Srivastava’s app, eKYC verification, provided verification of UIDAI data. The e-hospital system was a server hosted by National Informatics Centre (NIC), which had tied up with the Unique Identification Authority of India (UIDAI) for Aadhaar authentication services. The lack of Hypertext Transfer Protocol Secure (HTTPS), which is a secure version of HTTP (Hypertext Transfer Protocol), in the e-hospital server made the hacking easier, said investigators.

Despite the police’s assurance that database on the UIDAI was not compromised, concerns about its vulnerability remain. There are several government servers that use UIDAI data, but lack the security measures to prevent any breaches, leaving UIDAI susceptible to cyber attacks.

“All verification requests for his illegal app were made through the e-hospital server. As the verification requests were coming from the e-hospital server, the UIDAI database provided him with information. This use of Aadhaar data happened between beginning to January to end of July,” said a senior police officer.

How many people have accessed Aadhaar data using eKYC app is still being investigated, said the cops. They, however, added that Srivastava’s app had revealed details such as name, address, and phone number of several individuals, from the UIDAI database.

During questioning, Abhinav insisted that he was not a criminal, but was trying to make a useful mobile app. Cops also added that his Android mobile app was downloaded over 50,000 times and he made a revenue of Rs 40,000 from the ads as well.

(We all love to express ourselves, but how often do we do it in our mother tongue? Here's your chance! This Independence Day, khul ke bol with BOL – Love your Bhasha. Sing, write, perform, spew poetry – whatever you like – in your mother tongue. Send us your BOL at bol@thequint.com or WhatsApp it to 9910181818.)