Indian Post Office portal vulnerabilities expose Aadhaar data details

An Indian cybersecurity expert and ethical hacker, Gokuleswaran B, has raised the alarm on some Insecure Direct Object Reference (IDOR) susceptibilities which expose Aadhaar digital ID and other Know Your Customer (KYC) personal details on the portal of the Indian Post Office.

IDOR is a cybersecurity lapse that facilitates access to sensitive data when a bad actor manipulates URLs, request parameters, or API endpoints to gain unauthorized access to a system if no proper user input verification mechanism are in place.

In a narration published by System Weakness, the ethical hacker recounts his experience interacting with the Indian government website, where he noticed the Post Office portal has vulnerabilities that place thousands of personal data details in harm’s way.

He explained that the portal can be used to access sensitive personal data information by playing with numbers on the portal’s URL. He said he manipulated the website’s URL in a way that it responded to his requests by turning up sensitive personal data.

The kind of data left vulnerable for exploitation on the portal, according to Gokuleswaran, include Aadhaar biometric digital IDs, PAN numbers, email addresses and telephone numbers, just to mention these few.

Noticing the dangerous vulnerabilities, the ethical hacker says he did the right thing by making the concerned authorities aware of the situation, highlighting the dangers of allowing such personal data potentially exposed to cybercriminals.

The expert cautions that it is important to effectively plug the gaps for such vulnerabilities as any data breaches arising from them could lead to massive identity theft, phishing attacks and scams, as well as regulatory violations.

India’s Computer Emergency Response Team (CERT-In) is reported to have taken note of the situation and has recommended measures which public entities and organizations must deploy to avoid IDOR-enabled breaches, according to Cybersecurity News.

The IDOR vulnerability revelations on the Post Office portal comes just weeks after the Post Office introduced a digital KYC system for services such as opening savings bank accounts.

Implementation of the system got underway on January 6, the date from which customers were required to complete KYC using their Aadhaar biometric ID, as reported by Times of India.

Per the directive that was issued on January 1, the measure will be executed in a phased manner, beginning with bank registration transactions involving new customers.

In the later part of the implementation, KYC using Aadhaar biometric verification will be needed for the opening and closing of different kinds of accounts such as savings and deposits, as well as other aspects related to banking operations.

Recently, the Unique Identification Authority of India (UIDAI) communicated rules on Aadhaard authentication for private and public sector entities for different services considered in the public interest. Several institutions offering financial services have been authorized for this Aadhaar authentication scheme.

 

Article Topics

Aadhaar  |  cybersecurity  |  data privacy  |  data protection  |  digital identity  |  India