An Indian state government has fixed security issues impacting its website that exposed the sensitive documents and personal information of millions of residents.
The bugs existed on the Rajasthan government website related to Jan Aadhaar, a state program to provide a single identifier to families and individuals in the state to access welfare schemes. The bugs exposed the copies of Aadhaar cards, birth and marriage certificates, electricity bills and income statements related to registrants, as well as personal information such as their date of birth, gender and father’s name.
Security researcher Viktor Markopoulos, working for cybersecurity company CloudDefense.ai, found the bugs in the Jan Aadhaar portal in December and asked TC for help in disclosing to the authorities.
The bugs were fixed last week through an intervention by the Indian Computer Emergency Response Team, or CERT-In.
One of the bugs allowed anyone to access personal documents and information with knowledge of a registrant’s phone number.
The other bug allowed the return of sensitive data because the server was not properly checking the validity of one-time passwords, the researcher explained.
TC reached out to the Rajasthan government’s Jan Aadhaar Authority on December 22 and followed up a week later, but did not receive a response. TC subsequently shared the details of the bug with CERT-In, which confirmed on Thursday that the bugs had been fixed.
“This is to inform you that we have received a response from the concerned authority that the reported vulnerability has been fixed,” the agency told TC. The researcher also confirmed the fix.
TC reached out again to the Rajasthan government for comment ahead of publication, but we have not heard back.
The state’s Jan Aadhaar portal, which launched in 2019, says it has more than 78 million individual registrants and 20 million families. The portal aims to offer “One Number, One Card, One Identity” to residents in the northern state of Rajasthan for accessing state government welfare schemes. This contrasts with the regular Aadhaar card, available for enrollment to eligible individuals across India and provided by the central government-backed Unique Identification Authority, or UIDAI.