DigiLocker is a digital online store where the government allows us to hold data and files digitally. But, recently, a security expert has discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore accounts.
It is an authentication flaw that has put the core of users’ data at risk. Initially, this issue was first identified by a security researcher Ashish Ghalot last month and survived in the sign-in method of the service.
This kind of vulnerability helps the hackers to evade two-factor authentication and get access to some delicate private information of the users, but now the flaw has been already determined and fixed.
Well, Ashish Ghalot had found the flaw in the DigiLocker when he was analyzing the authentication mechanism. Moreover, he also stated that he obtained the default mechanism, which asks for a one-time password that is (OTP) and a PIN to log in to the digital storage.
After getting the OTP, he was capable of circumventing the authentication mechanism after putting an Aadhaar number and preventing the link to DigiLocker, simply modify the parameters.
Including over 38 million enrolled users, DigiLocker is a cloud-based locker that serves as a digital platform to help in several online processing of records and faster performance of different government-to-citizen assistance. More importantly, DigiLocker is connected to a user’s mobile number and Aadhar ID (a unique identity number (UID) assigned to every citizen of India).
Apart from Ashish Ghalot, other security experts have also investigated this vulnerability of DigiLocker, and they also found the main reason behind this flaw and will clarify everything soon.
On May 10, the security researcher, Ashish Ghalot, summarized all his findings to CERT-IN, and the issue was determined on May 28. Here are, the detailed analysis that are discovered by the Ashish Ghalot in this event:-
- OTP bypass due to lack of authorization – Marked as Critical
- Secret PIN Bypass/takeover – Marked as Critical
- Poor session mechanism in APIs – Marked as High
- Weak SSL pinning mechanism in the mobile app – Marked as Medium
1. OTP bypass due to lack of authorization
The first finding is the OTP bypass due to lack of authorization, and the lack of authorization makes the situation more comfortable for the attacker. And it becomes easy to implement OTP validation by presenting any valid users’ details and then manipulation flow to log in as a completely distinct user.
2. Secret PIN Bypass/takeover
Next, we have the secret PIN Bypass/takeover, well it’s one of the flaws, which is also marked as critical findings. As any API/URL pin easily help the hackers to reset an utterly new pin of any users without any authentication. In short, it’s one of the easiest ways to compromise the user data, and that’s the reason for which it was marked s critical.
3. Poor session mechanism in APIs
After that, we have the ‘poor session mechanism in APIs,’ it’s one of the findings that was marked as high. And in this finding, you will perceive that API calls from mobile were utilizing primary authentication to retrieve any data or do any sought of transactions.
More importantly, all the calls get encrypted, which implies that every user has to present their credentials, which is on a basic authentication format that is also encrypted with the algorithm: AES/CBC/PKCS5Padding.
4. Weak SSL pinning mechanism in the mobile app
Lastly, we have the poor SSL pinning mechanism in the mobile app, and in this finding, the app uses the weak SSL pinning, which can be bypass efficiently with devices like Frida and also some acknowledged methods as well.
According to the Digilocker, the essence of the vulnerability was so strong that an individual’s DigiLocker account could probably get arbitrated if the attacker perceived the username for that appropriate account. So, the flaw was covered on preference data, and the technical team started receiving an alert from CERT-IN.