DigiLocker, an online service from the government that allows individuals to store documents digitally, was found to have an authentication flaw, putting the data of crores of users at risk. The issue was first discovered by a researcher last month and existed in the sign-in process of the service. This could have allowed bad actors to bypass the two-factor authentication and access sensitive personal information. The flaw has now been fixed. Notably, the online facility by the government has over 3.84 crore users.
A security researcher, Ashish Gahlot, discovered the vulnerability in the DigiLocker system while analysing its authentication mechanism. The researcher found that although the default mechanism asks for a one-time password (OTP) and a PIN to log in to the digital storage, he was able to bypass the authentication after adding an Aadhaar number and intercepting the connection to DigiLocker and changing the parameters, as explained by the researcher in a post on Medium.
The authentication flaw allowed anyone with sufficient technical skills to set up a new PIN and even access the DigiLocker account, without requiring any passwords. The flaw could also allow attackers to acquire a user profile by bypassing the OTP process and modifying the response using an interception tool.
Gahlot discovered the vulnerability last month and reported it to the DigiLocker team shortly. The team fixed the PIN bypassing issue in a couple of days, however, the OTP bypass issue was resolved on Monday.
In a statement released late-Tuesday, DigiLocker team acknowledged the vulnerability and said that it had "crept" in the code when new features were added to the platform recently. The team also claimed an attacker could only compromise the account of a DigiLocker user if they had the username of that account. Further, the team mentioned that no data was compromised because of the said vulnerability. As we mentioned earlier, the flaw is now patched.
Clarification about Reported Vulnerability on DigiLocker???? pic.twitter.com/hEz19QJDsj— DigiLocker (@digilocker_ind) June 2, 2020
As per the latest statistics available on the DigiLocker site, there are more than 3.84 crore registered users on the platform. It also issued over 375 authentic documents and has a total of 155 issuer organisations and 45 requestor organisations. The platform is used to store documents such as Aadhaar card, insurance letters, income tax (IT) returns, mark sheets by various state and central boards, and driving licence issued by state governments. Moreover, it is handled by the National e-Governance Division (NeGD), led by the Ministry of Electronics and Information Technology (MeitY).
Editor's Note: Updated with response from DigiLocker team.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.