Twitter user chips at mAadhaar, uncovers security holes

Twitter user chips at mAadhaar, uncovers security holes

Twitter user chips away at mAadhaar app, uncovers glaring security holes

AΒ France-based hacker going by the pseudonym,Β Elliot Anderson, has reported a potentially massive security flaw in UIDAI's mAadhaar app that could allow malicious entities to steal a user's Aadhaar data and by extension, their identity.

In a series of tweets, Anderson detailed the flaws of the mAadhaar app, starting with how the app stores information in a local database on the user's phone, which by itself is not a problem because that is how most apps work on Android.
Β 



On deeper inspection, Anderson found that the app saves the users' biometric data on the local database, whose password is generated using a random number with a hardcoded string with 123456789 as the seed.




Which was found to be the exact same code posted by a user on stack overflow as part of their query:




Anderson then suggested removing the developer endpoint from the release application.




When the Aadhaar autopsy started to pick up steam on social media, Anderson was hit with a string of questions about the manner in which the password is generated. To that, Anderson posted a POC on github detailing the process:







Anderson looked into the official documentation and learnt that the app stores the user's ID, Aadhaar number, name, date of birth, address, gender and photo.




Eventually, after a lot of digging, Anderson found the password salt used by the Aadhaar app, which was embarrasing, to say the least:




Anderson decided to contact Khosla Labs, the company that made the Aadhaar app, to show them some of their glaring mistakes and oversights:











DH Newsletter Privacy Policy Get top news in your inbox daily
GET IT
Comments (+)