The Unique Identification Authority of India (UIDAI) today refuted reports about a fresh data leak of Aadhaar holders, and asserted that there has been "absolutely no breach" of its database.
On Saturday, 24 March, it seemed that somehow the “13-foot-high wall” of the UIDAI had been breached yet again!
In an exclusive report by ZDnet.com, it has been revealed that a state-owned utility service provider’s server is vulnerable, as Delhi-based security researcher Karan Saini was able to access the Aadhar data of all the registered users.
In a statement issued, UIDAI said: "there is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure".
UIDAI argued that mere availability of Aadhaar number with a third person "will not be a security threat to the Aadhaar holder" nor will it lead to financial or other fraud. This is because a transaction is contingent upon a successful authentication through fingerprint, iris or OTP of the Aadhaar holder, UIDAI said.
The report claims that the Indian government was intimated about this issue over a month ago, but has not taken any action to fix it. What’s scary is that the reports says that vulnerable data includes personal information of users like the Aadhaar number and names of banks in which they have accounts.
This is in contradiction to a tweet by the UIDAI in January which stated that Aadhaar doesn’t store any information regarding bank accounts.
The report also claims that the data of the users who aren’t even registered with this utility service can also be accessed. Though the report doesn’t say which utility service provider it is, it does mention it is a state-owned entity.
The UIDAI has argued that even if the report’s claims were taken to be true, the security-related concerns should be around the database of the utility company in question.
It has "nothing to do with security of UIDAI’s Aadhaar database", it said.
It has reportedly not secured the API (application program interface), which makes the Aadhaar details of all citizens vulnerable.
According to the report “The API’s endpoint – a URL that we are not publishing – has no access controls in place. The affected endpoint uses a hard coded access token, which, when decoded, translates to ‘INDAADHAARSECURESTATUS’, allowing anyone to query Aadhaar numbers against the database without any additional authentication.”
According to Saini, “An attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details.”
He also explained that it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999. This is possible since the site’s API doesn't have any rate limiting in place. This allows an attacker to cycle through every permutation of possible Aadhaar numbers and obtain information each time an existing number is hit.
The report also mentions Saini saying that the data has been constantly updated from 2014 to 2017. He also told ZDnet:
I cannot speculate whether it is UIDAI that is providing this information to [the utility provider], or if the banks or gas companies are, but it seems that everyone’s information is available, with no authentication — no rate limit, nothing.
Earlier this week, UIDAI CEO Ajay Bhushan Pandey had made a powerpoint presentation in the Supreme Court to defend the government's ambitious Aadhaar scheme. He had said that breaking Aadhaar encryption may take "more than the age of the universe for the fastest computer on earth."
(With PTI inputs)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)