Skip to main content

38 Million Indian DigiLocker Accounts Could Have Been Accessed Without Password

38 Million Indian DigiLocker Accounts Could Have Been Accessed Without Password

The Indian Government addressed a highly critical flaw in its secure document wallet service Digilocker that could have let an attacker bypass mobile OTP (One-Time Password) mechanism and sign in as other users to unauthorisedly access their sensitive documents.

Security researcher, Mohesh Mohan discovered a highly critical flaw in Digilocker wallet service. According to the analysis done by Mohesh Mohan, the OTP (One-Time Password) mechanism did not have the authorization that makes it possible to perform OTP (One-Time Password) validation with submitting any valid users' details and then modification allows to sign in as a different user.

Indian Government's secure document wallet service, Digilocker has beyond 38 Million registered users which act as a digital platform to make easier and faster online processing of documents and delivery of different government services. Also, Digilocker is linked to a users' phone number and Aadhar ID (India's national ID).

According to the analysis done by security researcher Mohan, in order to unauthorizedly access victim's Digilocker account, an attacker needs to know victim's Aadhar ID or linked phone number or username, pushing the services to send OTP (One-Time Password) and afterward exploiting the flaw to bypass the process of sign-in.

It is important to note that the mobile application version of Digilocker also comes with a 4-digit PIN for an additional layer of security (2FA). However, the security researcher, Mohan said that it was also possible to change the API calls to verify the PIN by associating the PIN to any other user and successfully login in as the victim (means you can do the OTP authentication as one user and submit the 4-digit PIN of a second user and as a result, you will log as the second user)

Because of a lack of authentication (verification) for the API endpoint, the API can be exploited to reset the PIN linked to a user using the individual's UUID (Universally Unique Identifier). Also, The mobile version of Digilocker was found to implement a weak SSL pinning mechanism, making them vulnerable to bypass using tools like Frida (Dynamic instrumentation toolkit).

During the same period of time another security researcher, Ashish Gahlot also discovered the same flaw separately and reported it to the CERT-In (Indian Computer Emergency Response Team). They had fixed the flaw immediately after getting alert from CERT-In.

According to the investigation done by the Digilocker wallet service team, it was found that this critical flaw had entered in the code with the recent addition of some new features. They also assured that any data, database, storage was not compromised due to this flaw.

If you have any questions related to the critical vulnerability of Digilocker and also want to share your views on this flaw then please mention in the comments box and I will get back to you.

Comments

  1. very nice ....amazing
    please visit my blog too
    https://kidscricketcoaching.blogspot.com/2020/06/episode-18-pull-shot-08062020.html

    ReplyDelete

Post a Comment

Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik

WARNING — These Six ‘Dangerous’ Android Apps With 1.66 Billion Downloads Need To Be Uninstalled

Privacy and security research firm VPNpro has discovered six dangerous Android antivirus apps that have a total of 1.66 billion downloads available in the Google Play Store. These six free Android antivirus apps ask users to explicitly agree for dangerous permissions that they are not required to operate . And there is simply no legitimate reason for them to do so. Downloading these antivirus apps has resulted in putting users themselves as well as all of their precious data at risk. So, my advice here is pretty straightforward. Even if you are installing an antivirus app from Google Play Store, make sure it is a well-known brand and you are familiar with the permission is required to operate on. Downloading free apps onto Android devices is always a risk, especially if they are from unknown developers. Free Antivirus apps  –  Dangerous Permissions These six Android antivirus apps asking for dangerous permissions such as access to the microphone, camera, making call