DigiLocker Vulnerability Let Hackers Access Over 3.8 Crore Accounts Without Password
 |
| DigiLocker Vulnerability Let Hackers Access Over 3.8 Crore Accounts Without Password |
DigiLocker Vulnerability Let Hackers Access Over 3.8 Crore Accounts Without Password
DigiLocker, an online service from the government that is used to to store the document of an individual digitally, than service was found an authentication flaw which put the data of crores of users at risk. The Vulnerability was discovered by a researcher last month and which is existed in sign-in process of the service. This flaw can bypass the two-factor authentication and access sensitive personal information. The government has announced the flaw has been fixed.
HIGHLIGHTS:
- DigiLocker was found to have a flaw its authentication mechanism.
- DigiLocker team was told about the flaw last month.
- It allowed anyone to gain access to user account.
For the people who are unaware about the DigiLocker so this is the online services provided by the ministry of Electronics and IT (Meity), Government of India under its Digital India Initiative this services provide the cloud storage to every Aadhaar holder to access authentic document such as driving license academic mark sheet in digital format from the original issuers of these certificate.
It provide 1 GB of storage space to each account holder where user can store their scanned documents.
 |
| DigiLocker Vulnerability Let Hackers Access Over 3.8 Crore Accounts Without Password |
The researcher found that the mobile Digilocker app uses a 4-digit PIN to implement an additional level of security. It was able to modify the API calls to authentic the PIN by associating the PIN to another user and access to the victim's Account. Because of Poor Mechanism the API is Possible to exploit them to reset the PIN Linked to a random user using Its UUID.
On analysis it was found that the Vulnerability had enter in the code with the recent addition of some new features. The team assured that data, database, storage, or encryption was not compromised due to this.
Official Wesbite :
No comments