Nearly 6 million Aadhaar numbers have been leaked through a vulnerability on the Indane website meant for dealers and distributors, a French ‘ethical hacker’ who goes by the name Elliot Alderson claimed on Twitter.
In a blog posted on Monday, 18 February, Alderson detailed how he got a private message on 10 February, alerting him to a vulnerability on a web portal meant for local dealers. The Indane portal reportedly exposes the names, Aadhaar numbers and addresses of the customers.
A lack of authentication in this portal means that if one has information on other dealers — i.e. a ‘dealer ID’ — then it is possible to access the information of 6,791,200 Indane customers, according to Alderson.
Indian Oil Corp responded to the allegations on Twitter, saying that “leakage of Aadhaar data is not possible through us.” In its statement, a differentiation has been made between Aadhaar data and Aadhaar numbers. However, the allegation of leak by Alderson is about Aadhaar numbers. In fact, the UIDAI has clarified in the past that Aadhaar numbers qualify as sensitive data.
The Unique Identification Authority of India (UIDAI) has not publicly responded to the allegations. The Quint has also reached out to UIDAI for a response through email.
Indane, an LPG brand owned by the Indian Oil Corporation, is one of the country’s largest gas companies.
Explaining The ‘Leak’
Alderson has claimed that the local dealer portal on Indane was not protected by any authentication.
In an image posted by Alderson, there’s a field that requires dealer IDs to be entered. Once the ID is entered, the Aadhaar numbers, names and addresses of customers registered with the specific dealer can be accessed, according to the security researcher.
To understand how many customers could be potentially impacted, Alderson sought to get IDs of 11,000 Indane dealers. According to the blog, he created a code that accessed dealer IDs of some dealers through Indane’s Android app.
Once the dealer IDs were obtained, Alderson went on the portal again and was able to access the Aadhaar information of nearly 6 million customers. Indane blocked Alderson’s IP after one day, so he couldn’t test the remaining dealers. By his estimation, the customers who could be affected by the alleged leak go up to 6,791,200.
TechCrunch verified some of the numbers that came up in Alderson’s account by using UIDAI’s web-based verification tool. Each number used came back as a match, the report said.
Not The First Time
This is not the first time that Aadhaar information (numbers, name and addresses) have been stored on vulnerable online spaces. In March 2018, a data leak on Indane had allowed “anyone to download private information on all Aadhaar holders,” according to ZDNet.
In September last year, The Quint had reported that “private entities of various kinds, educational, non-profit or commercial” kept entire directories of Aadhaar numbers open and searchable on Google. According to the report, this meant that a search of “aadhar.jpg” on Google could lead to an extensive database of Indian citizens.
(The article will be updated if UIDAI responds to The Quint’s queries.)
(With inputs from TechCrunch)