DigiLocker is a digital online store where the government allows us to hold data and files digitally. Recently, a security expert has discovered a new vulnerability in
DigiLocker that has compromised over 3.8 crore accounts.
It is an authentication flaw that has put the core of users’ data at risk. Initially, this issue was first identified by a security researcher Ashish Ghalot last month and survived in the sign-in method of the service.
This kind of vulnerability helps the hackers to evade two-factor authentication and get access to some delicate private information of the users, but now the flaw has been already determined and fixed.
Well, Ashish Ghalot had found the flaw in the DigiLocker when he was analyzing the authentication mechanism. Moreover, he also stated that he obtained the default mechanism, which asks for a one-time password that is (OTP) and a PIN to log in to the digital storage.
After getting the OTP, he was capable of circumventing the authentication mechanism after putting an Aadhaar number and preventing the link to DigiLocker, simply modify the parameters.
Including over 38 million enrolled users, DigiLocker is a cloud-based locker that serves as a digital platform to help in several online processing of records and faster performance of different government-to-citizen assistance. More importantly, DigiLocker is connected to a user’s mobile number and Aadhar ID (a unique identity number (UID) assigned to every citizen of India).
Apart from Ashish Ghalot, other security experts have also investigated this vulnerability of DigiLocker, and they also found the main reason behind this flaw and will clarify everything soon.
The security researcher, Ashish Ghalot, summarized all his findings to CERT-IN, and the issue was determined on May 28. Here are, the detailed analysis that are discovered by the Ashish Ghalot in this event:-
OTP bypass due to lack of authorization – Marked as Critical
Secret PIN Bypass/takeover – Marked as Critical
Poor session mechanism in APIs – Marked as High
Weak SSL pinning mechanism in the mobile app – Marked as Medium
According to the Digilocker, the essence of the vulnerability was so strong that an individual’s DigiLocker account could probably get arbitrated if the attacker perceived the username for that appropriate account. So, the flaw was covered on preference data, and the technical team started receiving an alert from CERT-IN.
(Image Courtesy: www.ak3.picdn.net)