A safety researcher says a bug on an Indian state authorities web site inadvertently revealed paperwork containing residents’ Aadhaar numbers, ID playing cards and copies of their fingerprints.
The bug was mounted final week after the safety researcher disclosed it to native authorities.
Sourajeet Majumder discovered the bug within the West Bengal authorities’s e-District internet portal that enables state residents to entry authorities companies on-line, like acquiring start and dying certificates and creating of purposes. Majumder stated the web site bug meant it was attainable to acquire land deeds, which comprise information about who owns a chunk of land, from the e-District web site by guessing the numbers of request for sequential act.
Request ID numbers are distinctive 16-digit numbers issued by the state authorities when a neighborhood resident requests a digital copy of a deed.
{A partially} blurred copy of the uncovered land deed of a resident of West Bengal.
All request ID numbers had been invalid. Utilizing publicly out there instruments reminiscent of Burp Suite to investigate community site visitors out and in of the web site meant that Majumder might scan whole lists of sequential software numbers and use server responses to find out whether or not a quantity software identification was legitimate.
By accessing an software identification quantity, anybody with a connection to the e-District system might entry a replica of a land deed. Two property deeds considered by TechCrunch comprise the names of the individuals concerned within the deed, their images and their full fingerprints of each arms. It isn’t unusual to see a number of people on the identical act.
The deeds additionally comprise people’ government-issued identification paperwork, together with their confidential Aadhaar numbers, assigned to every citizen as a part of India’s Nationwide Identification and Biometric Database. Aadhaar numbers are required to entry banking companies, cell phone plans and plenty of authorities companies.
Majumder reported the web site vulnerability to India’s Laptop Emergency Response Workforce, often known as CERT-In, and the West Bengal authorities, fearing the vulnerability could possibly be misused for fraud identification. The bug was mounted shortly after.
It’s unclear if anybody aside from Majumder found the bug. Representatives of the West Bengal authorities and CERT-In didn’t reply to requests for remark. The West Bengal authorities’s e-District web site says it has processed greater than 17 million purposes to date, though it’s unclear what number of of them are for property titles.
Native media experiences a current enhance in fraud linked to the alleged theft of biometric data, which criminals allegedly use to empty financial institution accounts.
