Flaw in DigiLocker Put Over 3.8 Crore Accounts at Risk: Researcher


DigiLocker, a web based service from the federal government that permits people to retailer paperwork digitally, was discovered to have an authentication flaw, placing the information of crores of customers in danger. The problem was first found by a researcher final month and existed within the sign-in strategy of the service. This might have allowed unhealthy actors to bypass the two-factor authentication and entry delicate private data. The flaw has now been fastened. Notably, the web facility by the federal government has over 3.84 crore customers.

A safety researcher, Ashish Gahlot, found the vulnerability within the DigiLocker system whereas analysing its authentication mechanism. The researcher discovered that though the default mechanism asks for a one-time password (OTP) and a PIN to log in to the digital storage, he was in a position to bypass the authentication after including an Aadhaar quantity and intercepting the connection to DigiLocker and altering the parameters, as defined by the researcher in a submit on Medium.

The authentication flaw allowed anybody with ample technical expertise to arrange a brand new PIN and even entry the DigiLocker account, with out requiring any passwords. The flaw might additionally enable attackers to amass a consumer profile by bypassing the OTP course of and modifying the response utilizing an interception instrument.

Gahlot found the vulnerability final month and reported it to the DigiLocker workforce shortly. The workforce fastened the PIN bypassing problem in a few days, nevertheless, the OTP bypass problem was resolved on Monday.

In a press release launched late-Tuesday, DigiLocker workforce acknowledged the vulnerability and mentioned that it had “crept” within the code when options had been added to the platform not too long ago. The workforce additionally claimed an attacker might solely compromise the account of a DigiLocker consumer if that they had the username of that account. Further, the workforce talked about that no information was compromised due to the mentioned vulnerability. As we talked about earlier, the flaw shouldn’t be patched.

As per the newest statistics obtainable on the DigiLocker website, there are greater than 3.84 crore registered customers on the platform. It additionally issued over 375 genuine paperwork and has a complete of 155 issuer organisations and 45 requestor organisations. The platform is used to retailer paperwork corresponding to Aadhaar card, insurance coverage letters, revenue tax (IT) returns, mark sheets by numerous state and central boards, and driving licence issued by state governments. Moreover, it’s dealt with by the National e-Governance Division (NeGD), led by the Ministry of Electronics and Information Technology (MeitY).

Editor’s Note: Updated with response from DigiLocker workforce.


In 2020, will WhatsApp get the killer function that each Indian is ready for? We mentioned this on Orbital, our weekly expertise podcast, which you’ll be able to subscribe to through Apple Podcasts or RSS, obtain the episode, or simply hit the play button beneath.



Source hyperlink

2 thoughts on “Flaw in DigiLocker Put Over 3.8 Crore Accounts at Risk: Researcher

  1. https://waterfallmagazine.com
    Hi I am so glad I found your webpage, I really found you by mistake, while I was researching on Digg for something else, Anyways I am here now and would just like to say cheers for a fantastic
    post and a all round enjoyable blog (I also love the theme/design), I don’t have time to browse it all at the
    moment but I have book-marked it and also included your RSS feeds,
    so when I have time I will be back to read a lot more, Please do keep up the excellent jo.

  2. http://wieliczko.eu As an example, a region of 100×100 CSS
    pixels in a page is displayed utilizing 100×100 tool pixels on an apple
    iphone 3, 200×200 device pixels on an iPhone 6, and also 300×300 device pixels on an apple iphone 6+.

    For the very best visual impact making use of the least transmission capacity, you could resize your photo to 100×100 for
    iPhone 3, to 200×200 for apple iphone 6, and to 300×300
    for apple iphone 6+. Utilizing this filter, PageSpeed
    creates images in any way of these dimensions, then changes the tags so your site visitor’s
    web browser utilizes the most effective dimension.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »