Aadhaar leaks again: Indane Gas website, app leak data of 6.7 million subscribers

Security Researcher Elliot Anderson has discovered a huge leak of Aadhaar numbers from Indane's website as well as app. The leak has put Aadhaar number of 6.7 million people at stake.

HIGHLIGHTS

  • Data of 6.7 million people are estimated to be at risk.
  • Both the online portal and app were found to be vulnerable.
  • UIDAI hasn't given out an official statement regarding the alleged leak.

Since the last year, Aadhaar has been receiving a lot of flak for getting leaked on the web. Several incidents of over the course of the year proved that Aadhaar data of millions of Indians wasn't protected well enough to be kept safe.

Aadhaar leaks again

While the government takes steps to re-ensure the security of the Aadhaar data, another incident shows the lack of security in the Aadhaar system. This time, an estimated 6.7 million people's Aadhaar data is reported to be at risk.

According to a report from TechCrunch, Indane Gas has apparently leaked the data of around 6.7 million subscribers through its website and app. The leak was discovered by an anonymous security researcher and was informed to Elliot Anderson (Robert Baptiste). Anderson has been investigating several leaks regarding the Aadhaar system for quite some time and is known to expose some of the biggest Aadhaar-related leaks last year.

The report states that Anderson undertook the examination of the case and found the leak in Indane's distributor portal. The portal's lack of authentication meant that Anderson was able to easily access critical data of almost 6.7 million subscribers. Anderson could extract details such as Aadhaar number, names, address and dealer ID. Anderson also discovered that the Indane Gas app for Android was also containing a loophole. Anderson developed a custom script that was able to get data for up to 11,000 dealers, which eventually led to the extraction of Aadhaar data of up to 5.8 million subscribers.

In a separate blog written by Anderson on medium.com, he states that the leak was reported to Indane but he didn't get a reply. Hence the leak was made public. It is said that the page has been taken down now, but it's not yet known how much damage the exposed endpoint has done, thus putting the data of an estimated 6.7 million Indane subscribers at risk.

So far, UIDAI hasn't given out an official statement regarding the alleged leak reported by TechCrunch and Anderson. However, this proves once again that UIDAI's system isn't as secure as the agency assures from time-to-time. Not long ago, it was reported that the Jharkhand government accidentally left the Aadhaar data of thousands of government employees exposed due to some kind of lapse in security.

Except for the headline, this article has not been edited by MyDigitalProtection and original article is available at www.indiatoday.in