French researcher uses simple hack to access Telangana government site with lakhs of Aadhaar details
TSPost has account details, including Aadhaar numbers, of 56 lakh NREGA, and 40 lakh social security pension beneficiaries.
A French security researcher used a basic web hacking technique to breach the Telangana government’s benefit disbursement portal TSPost, which has the account details – including Aadhaar numbers – of 56 lakh National Rural Employment Guarantee scheme beneficiaries, and 40 lakh beneficiaries of the social security pensions.
“In theory, a government website is very secure but in India, it’s another story... http://tspost.aponline.gov.in is vulnerable to a basic SQL injection,” the researcher, Baptiste Robert said on Twitter, where he goes by the handle Elliot Alderson.
Hackers and researchers use SQL, or structured query language code, to attack the back-end of websites.
“A basic SQL injection allows an attacker to access the database of the website,” Robert said according to The Times of India. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”
In a follow-up tweet about how the government fixed the problem, Robert said, “I don’t know if I have to laugh or cry.” He said the government had fixed the issue by putting the website offline.
“We are working on fixing the vulnerability after it was reported to us,” a TSPost official told The Times of India. “It was online due to certain dependencies. We have taken off the site from the web, and we hope by Tuesday evening we will be able to set it right.”
This new breach comes just weeks after several cases highlighted how vulnerable the Aadhaar system is to security breaches.
In Surat, stolen biometrics were used to steal rations. The police arrested two fair price shop owners after busting the racket that involved diverting subsidised food items by using an illegal software that used the stolen data.
In the Rajya Sabha, the Minister of State for Finance Shiv Pratap Shukla had admitted that nearly Rs 1.5 crores in cash was fraudulently withdrawn from Public Sector Bank accounts using customers’ Aadhaar numbers.