Tag: aadhaar

Posted on

WeWork India exposed visitors’ personal information and selfies

WeWork India has fixed a security lapse that exposed the personal information and selfies of tens of thousands of people who visited WeWork India’s coworking spaces.

Security researcher Sandeep Hodkasia found visitor data spilling from the check-in app on WeWork India’s website, used by visitors to sign-in at the dozens of WeWork India locations across the country. A bug in the app meant it was possible to access the check-in record of any visitor by increasing or decreasing the user’s sequential user ID by a single digit.

Because the check-in tool was internet-facing, the bug allowed anyone on the internet to cycle through thousands of records, exposing names, phone numbers, email addresses, and selfies. Hodkasia said there were no obvious controls in place to prevent someone from accessing the data in bulk.

None of the data was encrypted.

Hodkasia described the bug to TechCrunch, which replicated and confirmed his findings, and passed the information to WeWork India.

When reached by email, WeWork India spokesperson Apoorva Verma confirmed its website “had a bug that allowed unintentional access to the basic visitor information.” The check-in app was pulled from the website soon after TechCrunch contacted the company. According to Verma, WeWork India is “in the midst of transitioning our website,” and that its recent changes “mitigated” the exposure.

It’s not known exactly how many visitors’ information was exposed or for how long.

When asked if there were any plans to notify those whose information was exposed, WeWork India spokesperson Sweta Nair would not say. (India’s new data breach reporting rules, which require companies to notify authorities of a data breach within six hours of discovery, have yet to take effect, following a delay in the rollout of the rules.)

WeWork India joins a raft of Indian companies and organizations in the past year beset by a lapse in cybersecurity. In 2020 during the peak of the COVID-19 pandemic, India’s largest cell network Jio exposed a database containing the results of a coronavirus self-test symptom checker on its website. Earlier this year, India’s Central Industrial Security Force left a database packed with network logs exposed to the internet, allowing anyone to directly access internal files on CISF’s internal network. And, in June, TechCrunch reported the latest spill of Aadhaar numbers involving potentially millions of India’s farmers, thanks to a security lapse at the PM-Kisan government agency.

Read more:

To get in touch with the security desk, you can message on Signal at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

Posted on

India’s farmers exposed by new Aadhaar data leak

A security researcher said an Indian government website was exposing the Aadhaar numbers of India’s farmers, potentially amounting to millions of people.

Atul Nair told TechCrunch that he found a part of Pradhan Mantri Kisan Samman Nidhi website that was revealing the farmers’ information. PM-Kisan, as the agency is better known, is an Indian government initiative aimed at providing every farmer in India with basic financial income.

But Nair said a portion of the initiative’s website was returning farmers’ Aadhaar numbers, which farmers have to provide to receive the state income.

Aadhaar numbers are a confidential 12-digit number assigned to each Indian national as part of the country’s national identity database. Aadhaar is used as proof of identity for citizens after submitting their fingerprints and retinal scans to the central database, and is often required for accessing state government services, like welfare assistance and voting. Aadhaar numbers are also used for opening bank accounts, renting Airbnbs, driving with Uber, and for providing verification for other online services. Aadhaar numbers aren’t strictly secret, but are treated similarly to American Social Security or British National Insurance numbers.

Nair provided a small sample of exposed farmers’ information and corresponding Aadhaar numbers that were exposed by the PM-Kisan website, which TechCrunch verified as authentic by matching the exposed data with each farmer’s information using a tool on PM-Kisan’s own website.

He warned that a malicious attacker could have easily gathered the farmers’ information by writing a script. According to PM-Kisan’s website, which appears to be only accessible from within India, more than 110 million farmers have registered since the initiative launched in 2019.

Nair reported the security lapse in January to India’s national computer emergency response team, known as CERT-In, and the exposure was fixed in late-May. Nair also published his report in a blog post.

Ranjna Nagpal, whose contact information was listed on PM-Kisan’s website, did not return an email requesting comment sent prior to publication.

The data leak is not a breach of the central database run by Aadhaar’s regulator, the UIDAI, but is the latest security lapse to beset the controversial national identity database, staunchly defended by Prime Minister Narendra Modi’s government.

In 2017, a report found more than 130 million Aadhaar numbers and associated banking data had been exposed by just a handful of websites. TechCrunch has also reported on several lapses involving large numbers of Aadhaar numbers. And in 2018, journalists found that Aadhaar data was for sale by individuals selling access to the database.

Read more on TechCrunch:

Posted on

India withdraws warning on biometric ID sharing following online uproar

India has withdrawn a warning that asked users to not share photocopies of their national biometric ID following a widespread uproar from users on social media, many of whom pointed that this is the first time they were hearing about such a possibility.

A regional office of UIDAI, the body that oversees the national biometric ID system Aadhaar, warned users on Friday that “unlicensed private entities” such as hotels and theatre halls are “not permitted to collect or keep copies of Aadhaar,” a 12-digit unique number that ties an individual’s fingerprints and retina scan, and people should avoid sharing photocopies of their Aadhaar to prevent misuse.

The warning prompted an immediate and wide backlash from individuals. “I might have stayed in almost 100 hotels who kept a copy of my Aadhaar! Now this,” an individual tweeted, summing up the dilemma of tens of millions of people in the country, if not more.

About 1.33 billion people in India, or roughly the nation’s entire population, have enrolled in Aadhaar, an ID system that was unveiled about 13 years ago, according to government’s official figures. This scale of adoption makes Aadhaar the world’s largest biometric identity system.

Though Aadhaar has been touted as one of the world’s most sophisticated ID systems, critics have expressed concerns over the way its use case has been extended and made mandatory across several daily life services despite New Delhi marketing Aadhaar as a “voluntary” ID system.

On Sunday afternoon, India’s Ministry of Electronics and IT downplayed the warning following the backlash, saying the original advisory was issued by the Bengaluru Regional Office of UIDAI in the context of spreading awareness about the potential “misuse” of a “photoshopped Aadhaar card.”

“However, in view of the possibility of the misinterpretation of the press release, the same stands withdrawn with immediate effect,” it added.

“UIDAI issued Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers. Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.”

Posted on

India’s state gas company leaks millions of Aadhaar numbers

Another security lapse has exposed millions of Aadhaar numbers.

This time, India’s state-owned gas company Indane left exposed a part of its website for dealers and distributors, even though it’s only supposed to be accessible with a valid username and password. But the part of the site was indexed in Google, allowing anyone to bypass the login page altogether and gain unfettered access to the dealer database.

The data was found by a security researcher who asked to remain anonymous for fear of retribution from the Indian authorities. Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), is known to quickly dismiss reports of data breaches or exposures, calling critical news articles “fake news,” and threatening legal action and filing police complaints against journalists.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson and has prior experience investigating Aadhaar exposures, investigated the exposure and provided the results to TechCrunch. Using a custom-built script to scrape the database, he found customer data for 11,000 dealers, including names and addresses of customers, as well as the customers’ confidential Aadhaar number hidden in the link of each record.

Robert, who explained more about his findings in a blog post, found 5.8 million Indane customer records before his script was blocked. In all, Robert estimated the total number affected could surpass 6.7 million customers.

We verified a sample of Aadhaar numbers from the site using UIDAI’s own web-based verification tool. Each record came back as a positive match.

A screenshot showing the unauthenticated access to Indane’s dealer portal, which included sensitive information on millions of Indian citizens. This was one dealer who had 4,034 customers. (Image: TechCrunch)

It’s the latest security lapse involving Aadhaar data, and the second lapse to embroil Indane. Last year, the gas and energy company was found leaking data from an endpoint with a direct connection to Aadhaar’s database. This time, however, the leak is believed to be limited to its own data.

Indane is said to have more than 90 million customers across India.

The exposure comes just weeks after an Indian state leaked the personal information of more than 160,000 government workers, including their Aadhaar numbers.

Aadhaar numbers aren’t secret, but are treated as confidential and private information similar to Social Security numbers. More than 90 percent of India’s population, some 1.23 billion citizens, are enrolled in Aadhaar, which the government and some private enterprises use to verify identities. The government uses Aadhaar to enroll citizens in state services, like voting, or applying for welfare or financial assistance. Some companies also pushed customers to enroll their bank accounts or phone service to their Aadhaar identity, but this was recently struck down by the country’s Supreme Court. Many say linking their Aadhaar identities to their bank accounts has led to fraud.

The exposure is likely to reignite fresh concerns that the Aadhaar system is not as secure as UIDAI has claimed. Although few of the security incidents have involved a direct breach of Aadhaar’s central database, the weakest link remains the companies or government departments that rely on the data.

We contacted both Indane and UIDAI, but did not hear back.

Indian state government leaks thousands of Aadhaar numbers

Posted on

India’s state gas company leaks millions of Aadhaar numbers

Another security lapse has exposed millions of Aadhaar numbers.

This time, India’s state-owned gas company Indane left exposed a part of its website for dealers and distributors, even though it’s only supposed to be accessible with a valid username and password. But the part of the site was indexed in Google, allowing anyone to bypass the login page altogether and gain unfettered access to the dealer database.

The data was found by a security researcher who asked to remain anonymous for fear of retribution from the Indian authorities. Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), is known to quickly dismiss reports of data breaches or exposures, calling critical news articles “fake news,” and threatening legal action and filing police complaints against journalists.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson and has prior experience investigating Aadhaar exposures, investigated the exposure and provided the results to TechCrunch. Using a custom-built script to scrape the database, he found customer data for 11,000 dealers, including names and addresses of customers, as well as the customers’ confidential Aadhaar number hidden in the link of each record.

Robert, who explained more about his findings in a blog post, found 5.8 million Indane customer records before his script was blocked. In all, Robert estimated the total number affected could surpass 6.7 million customers.

We verified a sample of Aadhaar numbers from the site using UIDAI’s own web-based verification tool. Each record came back as a positive match.

A screenshot showing the unauthenticated access to Indane’s dealer portal, which included sensitive information on millions of Indian citizens. This was one dealer who had 4,034 customers. (Image: TechCrunch)

It’s the latest security lapse involving Aadhaar data, and the second lapse to embroil Indane. Last year, the gas and energy company was found leaking data from an endpoint with a direct connection to Aadhaar’s database. This time, however, the leak is believed to be limited to its own data.

Indane is said to have more than 90 million customers across India.

The exposure comes just weeks after an Indian state leaked the personal information of more than 160,000 government workers, including their Aadhaar numbers.

Aadhaar numbers aren’t secret, but are treated as confidential and private information similar to Social Security numbers. More than 90 percent of India’s population, some 1.23 billion citizens, are enrolled in Aadhaar, which the government and some private enterprises use to verify identities. The government uses Aadhaar to enroll citizens in state services, like voting, or applying for welfare or financial assistance. Some companies also pushed customers to enroll their bank accounts or phone service to their Aadhaar identity, but this was recently struck down by the country’s Supreme Court. Many say linking their Aadhaar identities to their bank accounts has led to fraud.

The exposure is likely to reignite fresh concerns that the Aadhaar system is not as secure as UIDAI has claimed. Although few of the security incidents have involved a direct breach of Aadhaar’s central database, the weakest link remains the companies or government departments that rely on the data.

We contacted both Indane and UIDAI, but did not hear back.

Indian state government leaks thousands of Aadhaar numbers

Posted on

Indian state government leaks thousands of Aadhaar numbers

A lapse in security has led to the leaking of over a hundred thousand Aadhaar numbers, TechCrunch can reveal.

One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.

But the photo on each record page used the file name as that worker’s Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database.

The data leak isn’t a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), but represents another lapse in responsibility from the authority charged with protecting its data.

Aadhaar numbers aren’t strictly secret but are treated similarly to Social Security numbers. Anyone of the 1.23 billion Indian citizens enrolled in Aadhaar — more than 90 percent of the population — can use their unique number or their thumbprint to verify their identity in order to enroll in state services, like voting, welfare or financial assistance. Aadhaar users can even use their Aadhaar identity to open a bank account, get a SIM card, call an Uber, buy something on Amazon, or rent an Airbnb.

But the system has been plagued with problems that have led to starvation in cases, and the illicit trade of citizen data on the underground market.

It’s unclear why the Jharkhand government site was accessible to anyone who knew where to look, but little effort had been put in to ensure the security of the system — or even hide it from the outside world. The site was easily found on a subdomain of the state government’s website, but for long enough that it was indexed by Google, which cached copies of not only the site itself, but also its attendance record pages that still contain Aadhaar numbers in each worker’s photo.

TechCrunch asked Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, to take a look at the site. Robert has prior experience in revealing Aadhaar-related data leaks. Using less than a hundred lines of Python code, Robert demonstrated that it was easy for anyone to scrape the entire site in batches to download their photos and corresponding Aadhaar numbers.

TechCrunch verified a small selection of Aadhaar numbers from the site using UIDAI’s own verification tool on its website. (We used a VPN in Bangalore as the page was unavailable in the U.S.). Each record came back as a positive match.

After confirming our findings, we reached out to both the Jharkhand government and UIDAI.

Jharkhand’s attendance site leaking worker data. (Image: TechCrunch)

At the time of publication, neither had responded, but the website had been pulled offline.

The exposure may represent a fraction of the billion-plus users registered with Aadhaar, but uncovers yet another inadvertent disclosure of citizen data from a system that UIDAI claims is impenetrable. Instead of learning from mistakes and mishaps, UIDAI instead has shown a long history of rebuffing evidence of security incidents or breaches with mockery and declaring findings as “fake news,” by claiming to refute evidence without presenting any of its own.

The leak of Aadhaar numbers may not be seen as sensitive compared to leaked biometric data. Former attorney general Mukul Rohtagi once called a separate leak of Aadhaar numbers “much ado about nothing.” But it’s raises fears that obtaining and misusing someone’s number could lead to identity theft and fraud — which reportedly peaked last year.

Others have expressed concern that the system puts privacy at risk by recording information on a person’s life, which authorities can use to conduct surveillance on ordinary citizens.

But the exposure alone contradicts the Indian government’s claims that the Aadhaar system as a whole is secure.

In recent years, several security lapses involving data relating to Aadhaar have reignited fresh concerns about the centralized database — including several issues found by Robert. Last year, security researcher Karan Saini, a New Delhi-based security researcher, found a poorly-secured web address used by state-owned utility company Indane that had direct access to the Aadhaar database, allowing him to query results from the system. UIDAI rubbished the reports, baselessly claiming that there was “no truth to this story” in a series of tweets from its official Twitter account, despite evidence to the contrary. In the same year, India’s Tribune newspaper reported that some were selling direct access to the Aadhaar database. UIDAI responded by filing a complaint against the reporter with police.

Despite the security concerns, India’s Supreme Court ruled the database constitutional in September after a long-running court battle.

India’s largest bank SBI leaked account data on millions of customers