[ad_1]
A bug on an Indian state government website inadvertently exposed documents containing residents’ Aadhaar numbers, identity cards and copies of their fingerprints, a security researcher says.
The bug was fixed last week after a security researcher disclosed the bug to local authorities.
Saurajit Majumdar found the bug in the West Bengal government’s e-District web portal, which allows state residents to access government services like obtaining birth and death certificates and building construction applications online. Majumdar said the website bug meant it was possible to obtain land deeds from the e-district website, which contains records about the owners of a piece of land, by guessing sequential deed application numbers.
Application Identification Numbers are unique 16-digit numbers issued by the state government when a local resident applies for a digital copy of a deed.
A partially blurred copy of a land deed of a resident of West Bengal.
Each application identification number was not valid. Using publicly available tools like Burp Suite to analyze network traffic in and out of the website meant Majumdar could cycle through the entire list of sequential application numbers and responses from the server to determine which Can use to determine whether the application identification number was valid or not.
With access to the application identification number, anyone logging into the e-District system can access the copy of the land deed. Two land deed records seen by TechCrunch include the names of the individuals involved in the deed, their photographs, and full sets of fingerprints on both hands. It is not unusual to see multiple people doing the same thing.
The functions also include the government-issued identity documents of individuals, including their confidential Aadhaar numbers, which are assigned to every citizen as part of India’s national identity and biometric database. Aadhaar number is required to access banking, cell phone plans and many government services.
Majumdar reported the website’s vulnerability to India’s Computer Emergency Response Team, known as CERT-In, and the government of West Bengal, fearing that the vulnerability could be misused for identity fraud. The bug was fixed soon after.
It is not known whether anyone other than Majumdar discovered the bug. Representatives of the West Bengal government and CERT-In did not respond to requests for comment. The West Bengal government’s e-District website says it has processed more than 17 million applications so far, though it is not known how many relate to land deeds.
Local media have recently reported an increase in fraud involving the alleged theft of biometric information, which criminals are said to be using to drain bank accounts.
