DigiLocker, an online service from the government that allows individuals to store documents digitally, was found to have an authentication flaw, putting the data of crores of users at risk. The issue was first discovered by a researcher last month and existed in the sign-in process of the service. This could have allowed bad actors to bypass the two-factor authentication and access sensitive personal information. The flaw has now been fixed. Notably, the online facility by the government has over 3.84 crore users.

A security researcher, Ashish Gahlot, discovered the vulnerability in the DigiLocker system while analysing its authentication mechanism. The researcher found that although the default mechanism asks for a one-time password (OTP) and a PIN to log in to the digital storage, he was able to bypass the authentication after adding an Aadhaar number and intercepting the connection to DigiLocker and changing the parameters, as explained by the researcher in a post on Medium.

The authentication flaw allowed anyone with sufficient technical skills to set up a new PIN and even access the DigiLocker account, without requiring any passwords. The flaw could also allow attackers to acquire a user profile by bypassing the OTP process and modifying the response using an interception tool.

Gahlot discovered the vulnerability last month and reported it to the DigiLocker team shortly. The team fixed the PIN bypassing issue in a couple of days, however, the OTP bypass issue was resolved on Monday.

Gadgets 360 has reached out to DigiLocker to get more clarity on the flaw and will update this story as its team responds.

As per the latest statistics available on the DigiLocker site, there are more than 3.84 crore registered users on the platform. It also issued over 375 authentic documents and has a total of 155 issuer organisations and 45 requestor organisations. The platform is used to store documents such as Aadhaar card, insurance letters, income tax (IT) returns, mark sheets by various state and central boards, and driving licence issued by state governments. Moreover, it is handled by the National e-Governance Division (NeGD), led by the Ministry of Electronics and Information Technology (MeitY).


In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

PUBG Mobile 1-UC Bounty Raid Offers a Chance to Win Cool Skins for 1 UC





Source link

By HS

Leave a Reply

Your email address will not be published. Required fields are marked *