Tag: aadhaar

Posted on

WeWork India exposed visitors’ personal information and selfies

WeWork India has fixed a security lapse that exposed the personal information and selfies of tens of thousands of people who visited WeWork India’s coworking spaces.

Security researcher Sandeep Hodkasia found visitor data spilling from the check-in app on WeWork India’s website, used by visitors to sign-in at the dozens of WeWork India locations across the country. A bug in the app meant it was possible to access the check-in record of any visitor by increasing or decreasing the user’s sequential user ID by a single digit.

Because the check-in tool was internet-facing, the bug allowed anyone on the internet to cycle through thousands of records, exposing names, phone numbers, email addresses, and selfies. Hodkasia said there were no obvious controls in place to prevent someone from accessing the data in bulk.

None of the data was encrypted.

Hodkasia described the bug to TechCrunch, which replicated and confirmed his findings, and passed the information to WeWork India.

When reached by email, WeWork India spokesperson Apoorva Verma confirmed its website “had a bug that allowed unintentional access to the basic visitor information.” The check-in app was pulled from the website soon after TechCrunch contacted the company. According to Verma, WeWork India is “in the midst of transitioning our website,” and that its recent changes “mitigated” the exposure.

It’s not known exactly how many visitors’ information was exposed or for how long.

When asked if there were any plans to notify those whose information was exposed, WeWork India spokesperson Sweta Nair would not say. (India’s new data breach reporting rules, which require companies to notify authorities of a data breach within six hours of discovery, have yet to take effect, following a delay in the rollout of the rules.)

WeWork India joins a raft of Indian companies and organizations in the past year beset by a lapse in cybersecurity. In 2020 during the peak of the COVID-19 pandemic, India’s largest cell network Jio exposed a database containing the results of a coronavirus self-test symptom checker on its website. Earlier this year, India’s Central Industrial Security Force left a database packed with network logs exposed to the internet, allowing anyone to directly access internal files on CISF’s internal network. And, in June, TechCrunch reported the latest spill of Aadhaar numbers involving potentially millions of India’s farmers, thanks to a security lapse at the PM-Kisan government agency.

Read more:

To get in touch with the security desk, you can message on Signal at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

Posted on

India’s farmers exposed by new Aadhaar data leak

A security researcher said an Indian government website was exposing the Aadhaar numbers of India’s farmers, potentially amounting to millions of people.

Atul Nair told TechCrunch that he found a part of Pradhan Mantri Kisan Samman Nidhi website that was revealing the farmers’ information. PM-Kisan, as the agency is better known, is an Indian government initiative aimed at providing every farmer in India with basic financial income.

But Nair said a portion of the initiative’s website was returning farmers’ Aadhaar numbers, which farmers have to provide to receive the state income.

Aadhaar numbers are a confidential 12-digit number assigned to each Indian national as part of the country’s national identity database. Aadhaar is used as proof of identity for citizens after submitting their fingerprints and retinal scans to the central database, and is often required for accessing state government services, like welfare assistance and voting. Aadhaar numbers are also used for opening bank accounts, renting Airbnbs, driving with Uber, and for providing verification for other online services. Aadhaar numbers aren’t strictly secret, but are treated similarly to American Social Security or British National Insurance numbers.

Nair provided a small sample of exposed farmers’ information and corresponding Aadhaar numbers that were exposed by the PM-Kisan website, which TechCrunch verified as authentic by matching the exposed data with each farmer’s information using a tool on PM-Kisan’s own website.

He warned that a malicious attacker could have easily gathered the farmers’ information by writing a script. According to PM-Kisan’s website, which appears to be only accessible from within India, more than 110 million farmers have registered since the initiative launched in 2019.

Nair reported the security lapse in January to India’s national computer emergency response team, known as CERT-In, and the exposure was fixed in late-May. Nair also published his report in a blog post.

Ranjna Nagpal, whose contact information was listed on PM-Kisan’s website, did not return an email requesting comment sent prior to publication.

The data leak is not a breach of the central database run by Aadhaar’s regulator, the UIDAI, but is the latest security lapse to beset the controversial national identity database, staunchly defended by Prime Minister Narendra Modi’s government.

In 2017, a report found more than 130 million Aadhaar numbers and associated banking data had been exposed by just a handful of websites. TechCrunch has also reported on several lapses involving large numbers of Aadhaar numbers. And in 2018, journalists found that Aadhaar data was for sale by individuals selling access to the database.

Read more on TechCrunch:

Posted on

India withdraws warning on biometric ID sharing following online uproar

India has withdrawn a warning that asked users to not share photocopies of their national biometric ID following a widespread uproar from users on social media, many of whom pointed that this is the first time they were hearing about such a possibility.

A regional office of UIDAI, the body that oversees the national biometric ID system Aadhaar, warned users on Friday that “unlicensed private entities” such as hotels and theatre halls are “not permitted to collect or keep copies of Aadhaar,” a 12-digit unique number that ties an individual’s fingerprints and retina scan, and people should avoid sharing photocopies of their Aadhaar to prevent misuse.

The warning prompted an immediate and wide backlash from individuals. “I might have stayed in almost 100 hotels who kept a copy of my Aadhaar! Now this,” an individual tweeted, summing up the dilemma of tens of millions of people in the country, if not more.

About 1.33 billion people in India, or roughly the nation’s entire population, have enrolled in Aadhaar, an ID system that was unveiled about 13 years ago, according to government’s official figures. This scale of adoption makes Aadhaar the world’s largest biometric identity system.

Though Aadhaar has been touted as one of the world’s most sophisticated ID systems, critics have expressed concerns over the way its use case has been extended and made mandatory across several daily life services despite New Delhi marketing Aadhaar as a “voluntary” ID system.

On Sunday afternoon, India’s Ministry of Electronics and IT downplayed the warning following the backlash, saying the original advisory was issued by the Bengaluru Regional Office of UIDAI in the context of spreading awareness about the potential “misuse” of a “photoshopped Aadhaar card.”

“However, in view of the possibility of the misinterpretation of the press release, the same stands withdrawn with immediate effect,” it added.

“UIDAI issued Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers. Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.”