A New Delhi-based security researcher has discovered a data leak on a system run by a state-owned utility company that can allow anyone to download private information on all Aadhaar holders, news website ZDnet reported on Friday.
Details such as the names of the Aadhaar holders, their 12-digit biometric-based unique identification numbers and information about services they are connected to, such as their bank details and other private information, are available, the report said quoting security researcher Karan Saini.
The report was published a day after the chief executive officer of the Unique Identification Authority of India, Ajay Bhushan Pandey, told the Supreme Court on Thursday that Aadhaar data was encrypted so well that it would take even the most powerful computer time equal to “the age of the universe” to break a single key.
The state-owned utility company, which the website did not name, has access to the Aadhaar database through an application programming interface, or API, that it uses to verify a customer’s status and identity. An API is a programme that allows apps to access data stored by other applications or software. However, the utility firm has not secured its API, leaving the data of not only its customers but every Aadhaar holder vulnerable, the ZDnet report said.
Saini told the website that the API’s endpoint has no access security controls in place. The flaw would also allow a hacker to cycle through every permutation of an Aadhaar number and obtain information each time it gets a successful hit. “An attacker is bound to find some valid Aadhaar numbers there, which could then be used to find their corresponding details,” the security researcher said.
ZDnet said it had spent more than a month attempting to contact Indian government officials, but no one responded to its emails. It later got in touch with the Indian consul for trade and customs in New York, Devi Prasad Misra. The website said it spent more than two weeks explaining the flaws to him, but the vulnerability was still not fixed.
The Unique Identification Authority of India on Saturday dismissed reports and said that Aadhaar system is “safe and secure”. “If one goes by the logic of ZDNet’s story, since the utility company’s database also had bank account numbers of its customers, so would that mean that all Indian banks’ databases have been breached?” the UIDAI asked. “The answer would obviously be negative.”