In another exposure of Aadhaar’s cybersecurity weaknesses, over 70 subdomains under a Government of India website are providing access to demographic-authentication services without requiring identity verification from the requester. The websites allow users to access an application programming interface, or API, in which anyone can enter a person’s Aadhaar number, name, gender and date of birth, and be directed to a page that either reads “yes” or displays an error message, indicating whether or not the information corresponds to a valid entry in the Aadhaar database. Providing such unrestricted access to this API raises major concerns of privacy, and may be exploited by hackers seeking to uncover people’s Aadhaar numbers. It also violates the Aadhaar Act, the law governing India’s nationwide digital-identity programme.
Two security researchers—Srinivas Kodali and Karan Saini—independently found the vulnerability and reported it to relevant authorities. On 10 May, Kodali reported it to the Unique Identification Authority of India, or UIDAI, which oversees Aadhaar; the National Critical Information Infrastructure Protection Centre, or NCIIPC, which protects government computer resources; and the Computer Emergency Response Team, or CERT, an office within the ministry of electronics and IT that deals with cybersecurity issues. Saini wrote a detailed report on the vulnerability and its implications and sent it to NCIIPC on 11 June. Two days later, he also sent it to the UIDAI, as well as the National Informatics Centre—which hosts the webpages on which the API appears, and is also a part of the ministry of electronics and IT.
Very little appears to have been done to fix the vulnerability. The NCIIPC responded almost immediately to both Kodali and Saini, thanking them for their reports. Kodali wrote back to the three authorities on 5 June, informing them that the issue had not been fixed. He never heard back. The NIC responded to Saini soon after he wrote, saying that a team is “working on resolving the issue,” and that “public disclosure of the issue shall hamper the efforts being undertaken” to fix it. As of nine days since Saini received this email, the issue does not appear to have been fixed.
It has been over 40 days since the API was first reported. At the time this piece was published, the issue had still not been fixed. The Caravan verified this vulnerability independently on two subdomains. This publication contacted each of the government agencies that were informed of the API by the researchers, but did not receive a response. Since no effective action appears to have been taken, The Caravan considers it a journalistic duty to report on the vulnerability. Out of concern for the security of all Aadhaar holders, no links to the webpages with this API are being published, nor are any further details about how the pages can be found.
Kodali told me that a main issue with the site providing public access to the API “is that there is no control” left to the Aadhaar holder, and “anybody can check your information” without your consent. This violates the Aadhaar Act, which states that Aadhaar authentication should happen only with the corresponding Aadhaar holder’s consent. According to the Act, “No identity information available with a requesting entity” can be disclosed, “except with the prior consent of the individual to whom such information relates.”