UIDAI officials on Thursday claimed in the Supreme Court that the biometric details of residents are not shared with anyone and that the fastest computer currently available would need “more than the life of the universe” to break its 2048-bit encryption.
But, a news website now says all it takes is money and a security researcher to break into the system. Claiming another case of a data breach, a Delhi-based security researcher says he has found a vulnerable endpoint and anyone with an Aadhaar number is affected, the technology reported. ZDnet news site.
Researcher Karan Saini said one of the vendors, whom the report did not name, could access the Aadhaar database through an app interface that the company relies on to verify the identity of the company. ‘a customer. What is worrying is that the company would not have implemented security for the interface and, as a result, it would be possible to access the private data of every Aadhaar cardholder, whether they are or not a customer of the service provider. , indicates the report.
The affected endpoint uses a hard-coded access token, which when decoded translates to “INDAADHAARSECURESTATUS”, allowing anyone to query Aadhaar numbers against the database without any additional authentication, has said Saini.
The researcher declined to publish the URL because it would compromise the data of millions of Indians. They said that the app’s interface did not have rate limiting in place. Rate limiting is a simple but useful security feature that slows down password guessing attacks. It allows you to limit the number of HTTP requests that a user can make in a given period of time.
Without rate limiting in place, an attacker can iterate through every permutation of Aadhaar numbers and obtain information whenever a successful result is reached. He explained that it would be possible to enumerate Aadhaar numbers by going through various combinations, such as 1234 5678 0000 to 1234 5678 9999.
“An attacker is forced to find valid Aadhaar numbers there which could then be used to find the corresponding details,” Saini said. And because there is no rate cap, Saini said it can send thousands of requests every minute from a single computer, ZDnet reported.
Saini, the website reported, had used a handful of Aadhar numbers (from friends who gave him permission) through the app and the response included the Aadhaar holder’s full name and consumer number and she also revealed information about connected bank accounts, Saini said. This appears to contradict the disclosure by Aadhaar officials, who tweeted that Aadhaar’s database does not keep bank details.