A bug on an Indian state government website recently exposed sensitive information, including residents’ Aadhaar numbers, identity cards, and copies of their fingerprints. The security researcher who discovered the bug, Sourajeet Majumder, reported it to local authorities, leading to a prompt fix.
Key Takeaway
A bug on an Indian state government website allowed access to residents’ Aadhaar numbers, identity cards, and fingerprints. The bug has since been fixed.
The Bug and its Impact
The bug was found on the West Bengal government’s e-District web portal, utilized by state residents to access government services online. This portal offered services like obtaining birth and death certificates, as well as building applications. Majumder discovered that by guessing sequential deed application numbers, it was possible to obtain land deeds, which contain records about land ownership.
Application identification numbers, unique 16-digit numbers issued by the state government, were required for accessing these land deeds. Majumder used publicly available tools to analyze the network traffic and determine valid application identification numbers. Consequently, individuals with login credentials to the e-District system could access land deeds, containing personal information such as names, photographs, fingerprints, and confidential Aadhaar numbers.
The Significance of Aadhaar Numbers
Aadhaar numbers are an integral part of India’s national identity and biometric database. Every citizen is assigned this unique number, which is required for several important activities, including accessing banking services, cell phone plans, and various government services. The exposure of Aadhaar numbers raised concerns about potential identity fraud and misuse.
Prompt Response and Aftermath
Majumder promptly reported the vulnerability to India’s computer emergency response team, CERT-In, and the West Bengal government. Recognizing the severity of the issue, the bug was fixed soon after. However, it remains unclear if anyone else had discovered the bug prior to Majumder. Representatives from the West Bengal government and CERT-In have not provided any comment.
Local media has reported a rise in fraud cases associated with the alleged theft of biometric information, which criminals have been using to empty bank accounts. This incident further highlights the importance of robust security measures to protect personal data and prevent identity theft.
In conclusion, the discovery and subsequent resolution of the bug on the West Bengal government’s e-District website prevented potential misuse of sensitive personal information such as Aadhaar numbers and fingerprints. It serves as a reminder for governments and organizations to prioritize cybersecurity and safeguard personal data in an increasingly digital world.