Skip to main content


Showing posts from June, 2020

38 Million Indian DigiLocker Accounts Could Have Been Accessed Without Password

The Indian Government addressed a highly critical flaw in its secure document wallet service Digilocker that could have let an attacker bypass mobile OTP (One-Time Password) mechanism and sign in as other users to unauthorisedly access their sensitive documents. Security researcher, Mohesh Mohan discovered a highly critical flaw in Digilocker wallet service. According to the analysis done by Mohesh Mohan, the OTP (One-Time Password) mechanism did not have the authorization that makes it possible to perform OTP (One-Time Password) validation with submitting any valid users' details and then modification allows to sign in as a different user. Indian Government's secure document wallet service, Digilocker has beyond 38 Million registered users which act as a digital platform to make easier and faster online processing of documents and delivery of different government services. Also, Digilocker is linked to a users' phone number and Aadhar ID (India's natio

Indian Payment App BHIM Exposes Over 7 Million Users Data

Indian e-payment app, BHIM (Bharat Interface for Money) has suffered a massive data breach that exposed private sensitive data of over 7 Million users. The Bharat Interface for Money (BHIM) app is based on the UPI (Unified Payments Interface) mechanism and owned by NPCI (National Payments Corporation of India) to provide better bank to bank money transfer in India. Currently, the BHIM app has over 136 Million users. Security researchers from VPN Mentor discovered the unsecured database on 23rd April 2020 but announced recently. The exposed database belonged to the BHIM app's Website ( that was being used to promote its usage across India and sign large numbers of business merchants to the app. The data was exposed due to misconfigured Amazon Web Services (AWS) S3 bucket which contains 409 GB of data. The exposed database contains user records from February 2019 onwards. The exposed data include Personally identifiable information (PII

Critical 'Sign in with Apple' Flaw Could Have Let Attackers Hijack Anyone's Account

What if I say, an attacker only require your Email ID to gain access to one of your accounts on your favorite app or a website. Sounds shocking right? Indian security researcher, Bhavuk Jain discovered a critical vulnerability affecting Apple's ' Sign in with Apple ' system that could allow attackers to bypass authentication and take over victim's account on third-party applications which have been providing 'Sign in with Apple' option to its user. Apple also rewarded a security researcher by giving a $1,00,000 bug bounty for reporting a highly critical flaw. Last year, Apple launched 'Sign in with Apple' feature and introduces it as a privacy-protecting login system that allows users to sign up an account with third-party applications without disclosing their actual Email ID. Security researcher, Bhavuk Jain found the critical vulnerability in the way Apple was validating a user on the client-side before initiating a request f