Aadhaar security failure: Government webpages provide unsecured access to demographic authentication

22 June, 2018

In another exposure of Aadhaar’s cybersecurity weaknesses, over 70 subdomains under a Government of India website are providing access to demographic-authentication services without requiring identity verification from the requester. The websites allow users to access an application programming interface, or API, in which anyone can enter a person’s Aadhaar number, name, gender and date of birth, and be directed to a page that either reads “yes” or displays an error message, indicating whether or not the information corresponds to a valid entry in the Aadhaar database. Providing such unrestricted access to this API raises major concerns of privacy, and may be exploited by hackers seeking to uncover people’s Aadhaar numbers. It also violates the Aadhaar Act, the law governing India’s nationwide digital-identity programme.

Two security researchers—Srinivas Kodali and Karan Saini—independently found the vulnerability and reported it to relevant authorities. On 10 May, Kodali reported it to the Unique Identification Authority of India, or UIDAI, which oversees Aadhaar; the National Critical Information Infrastructure Protection Centre, or NCIIPC, which protects government computer resources; and the Computer Emergency Response Team, or CERT, an office within the ministry of electronics and IT that deals with cybersecurity issues. Saini wrote a detailed report on the vulnerability and its implications and sent it to NCIIPC on 11 June. Two days later, he also sent it to the UIDAI, as well as the National Informatics Centre—which hosts the webpages on which the API appears, and is also a part of the ministry of electronics and IT.

Very little appears to have been done to fix the vulnerability. The NCIIPC responded almost immediately to both Kodali and Saini, thanking them for their reports. Kodali wrote back to the three authorities on 5 June, informing them that the issue had not been fixed. He never heard back. The NIC responded to Saini soon after he wrote, saying that a team is “working on resolving the issue,” and that “public disclosure of the issue shall hamper the efforts being undertaken” to fix it. As of nine days since Saini received this email, the issue does not appear to have been fixed.

It has been over 40 days since the API was first reported. At the time this piece was published, the issue had still not been fixed. The Caravan verified this vulnerability independently on two subdomains. This publication contacted each of the government agencies that were informed of the API by the researchers, but did not receive a response. Since no effective action appears to have been taken, The Caravan considers it a journalistic duty to report on the vulnerability. Out of concern for the security of all Aadhaar holders, no links to the webpages with this API are being published, nor are any further details about how the pages can be found.

Kodali told me that a main issue with the site providing public access to the API “is that there is no control” left to the Aadhaar holder, and “anybody can check your information” without your consent. This violates the Aadhaar Act, which states that Aadhaar authentication should happen only with the corresponding Aadhaar holder’s consent. According to the Act, “No identity information available with a requesting entity” can be disclosed, “except with the prior consent of the individual to whom such information relates.”

This API may also help hackers uncover Aadhaar numbers, especially those that have been published somewhere in a partially redacted form—a practice commonly followed by public and private entities alike. If an individual who has someone’s basic personal details also has a partial Aadhaar number for that person, they can program a computer to send a barrage of requests to the API, trying to enumerate all possible versions of the 12-digit Aadhaar number and find the correct one. “Certain websites publish masked Aadhaar numbers for purposes of transparency, but using the API, it would be possible to unmask and confirm who the Aadhaar belongs to,” Saini said. It would likely take far longer to use the API to find out an entirely unknown Aadhaar number, but that is theoretically possible as well.

Aadhaar has been controversial since its inception in 2009, with critics posing a variety of concerns, including those of exclusion, national security, privacy and data security. Data-security issues rose to prominence in May 2017, when the Centre for Internet and Society, a Bengaluru-based think tank, published a reportthat Kodali co-authored, revealing that 130 million Aadhaar numbers and other sensitive personal details had been published on government websites. Many additional revelations about Aadhaar-related security lapses have since come to light. For example, in January, Rachna Khaira, reporting for The Tribune, found that a payment of just Rs 500 gained her entry to a portal that provided access to any Aadhaar holder’s personal details if she entered their Aadhaar number. In March, the technology website ZDNet published an article about a vulnerability Saini found, in which a web application of Indane—an LPG brand owned by the Indian Oil Corporation—allowed anyone to query unlimited Aadhaar numbers and view the names, banking information and customer numbers of Aadhaar holders. As recent as three days ago, Kodali uncovered a similar security vulnerability in an Andhra Pradesh government website, which stored the data of nearly 4.5 crore individuals.

The existence of such diverse security vulnerabilities in the Aadhaar ecosystem makes this API even more concerning. Saini said that a hacker could use this API vulnerability to find an Aadhaar number, and then, if there were another portal like the one Khaira uncovered, they “could use it to find basically everything about [an individual] that’s linked to their Aadhaar. He added, “This could be chained together with other things which are possible after knowing the Aadhaar number, and could possibly allow for fraud.” Many reports, including CIS’s, have raised concerns that making individuals’ Aadhaar-related information public makes it easier for fraudsters to carry out identity theft and other scams.

Both Kodali and Saini had suggestions for how to help secure the website. A crucial change, Kodali said, could be to add an OTP feature. With this, a user would also have to enter in a one-time-password that would be sent to an Aadhaar holder’s registered mobile number in order to use the API to look up the validity of someone’s Aadhaar details. Saini told me the site could also require users to enter a captcha value with each query, preventing hackers from running attacks that have computer programmes guess thousands of possible Aadhaar numbers in quick succession. Another important change that both mentioned was for the site to use HTTPS, an encrypted protocol that helps secure websites, instead of the less-secure HTTP protocol. If any “network sniffer” were to try and read the website’s traffic, Saini said, all the individuals whose sensitive data was being communicated “could potentially be compromised because of that.”

In another incident that sparked analyses about NIC’s seemingly weak security, Abhinav Srivastav, an Ola employee, was arrested last August for allegedly illegally accessing UIDAI data for an app he created. He developed the app, he told me in Bengaluru this February, by using a proxy to access an NIC API that queried the UIDAI’s Aadhaar database. This API, too, was hosted on HTTP, not HTTPS.

A nearly identical vulnerability to the one Kodali and Saini recently found in the government website and its subdomains was publicised over six months ago. In a blog post from January, the cybersecurity researcher Sai Krishna Kothapalli detailed how a loophole in the website for the National Securities Depository Limit—an entity that helps secure the PAN Card system—provided similarly unrestricted access to Aadhaar’s demographic-authentication API. Around two weeks ago, Kothapalli told me over the phone that the issue has been fixed since he wrote about it.

In April, a response to a parliamentary question revealed that the UIDAI had audited NSDL, as well as six other entities that had been sanctioned to provide Aadhaar authentication services. The fact that the vulnerability exists on the website that Kodali and Saini found—even after it was fixed on NSDL’s website, and NSDL has been audited—suggests the absence of an effective system of technical testing that proactively finds and fixes vulnerabilities. “The same set of leaks which are happening on other websites,” Kodali told me, will “just repeat again and again.”

Of additional concern is the UIDAI’s lack of transparency on whether, and how, it audits government entities that provide access to Aadhaar services. An RTI request from May asked the UIDAI’s central office whether the body has “audited any government portals storing any Aadhaar numbers,” and if so, asked to provide details of the audits. The UIDAI’s response, signed by deputy director general YLP Rao, who manages the UIDAI’s technology division, simply read: “No records in this regard are available with this division.”

“UIDAI and private players using Aadhaar want an open API to access citizens’ private information,” Kodali said. “But open access to this kind of personal information can always be misused.”