computer Security

Indian DigiLocker Flaw Let Hackers AccessOver 3.8 Crore Accounts Without Password

DigiLocker is a digital online store where the government allows us to hold data and files digitally. But, recently, a security expert has discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore accounts. 

It is an authentication flaw that has put the core of users’ data at risk. Initially, this issue was first identified by a security researcher Ashish Ghalot last month and survived in the sign-in method of the service. 

This kind of vulnerability helps the hackers to evade two-factor authentication and get access to some delicate private information of the users, but now the flaw has been already determined and fixed.

Well, Ashish Ghalot had found the flaw in the DigiLocker when he was analyzing the authentication mechanism. Moreover, he also stated that he obtained the default mechanism, which asks for a one-time password that is (OTP) and a PIN to log in to the digital storage. 

After getting the OTP, he was capable of circumventing the authentication mechanism after putting an Aadhaar number and preventing the link to DigiLocker, simply modify the parameters. 

Including over 38 million enrolled users, DigiLocker is a cloud-based locker that serves as a digital platform to help in several online processing of records and faster performance of different government-to-citizen assistance. More importantly, DigiLocker is connected to a user’s mobile number and Aadhar ID (a unique identity number (UID) assigned to every citizen of India).

Apart from Ashish Ghalot, other security experts have also investigated this vulnerability of DigiLocker, and they also found the main reason behind this flaw and will clarify everything soon.


On May 10, the security researcher, Ashish Ghalot, summarized all his findings to CERT-IN, and the issue was determined on May 28. Here are, the detailed analysis that are discovered by the Ashish Ghalot in this event:-

  1. OTP bypass due to lack of authorization – Marked as Critical
  2. Secret PIN Bypass/takeover – Marked as Critical
  3. Poor session mechanism in APIs – Marked as High
  4. Weak SSL pinning mechanism in the mobile app – Marked as Medium

1. OTP bypass due to lack of authorization

The first finding is the OTP bypass due to lack of authorization, and the lack of authorization makes the situation more comfortable for the attacker. And it becomes easy to implement OTP validation by presenting any valid users’ details and then manipulation flow to log in as a completely distinct user.

2. Secret PIN Bypass/takeover

Next, we have the secret PIN Bypass/takeover, well it’s one of the flaws, which is also marked as critical findings. As any API/URL pin easily help the hackers to reset an utterly new pin of any users without any authentication. In short, it’s one of the easiest ways to compromise the user data, and that’s the reason for which it was marked s critical.

3. Poor session mechanism in APIs

After that, we have the ‘poor session mechanism in APIs,’ it’s one of the findings that was marked as high. And in this finding, you will perceive that API calls from mobile were utilizing primary authentication to retrieve any data or do any sought of transactions.

More importantly, all the calls get encrypted, which implies that every user has to present their credentials, which is on a basic authentication format that is also encrypted with the algorithm: AES/CBC/PKCS5Padding.

4. Weak SSL pinning mechanism in the mobile app

Lastly, we have the poor SSL pinning mechanism in the mobile app, and in this finding, the app uses the weak SSL pinning, which can be bypass efficiently with devices like Frida and also some acknowledged methods as well.

According to the Digilocker, the essence of the vulnerability was so strong that an individual’s DigiLocker account could probably get arbitrated if the attacker perceived the username for that appropriate account. So, the flaw was covered on preference data, and the technical team started receiving an alert from CERT-IN.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Critical Bug in Traffic Light Controller Let Hackers to Control Traffic lights Remotely

Zoom Vulnerability Allow Attackers to Hack Victim Machine via Chat Messages

Critical Bluetooth Vulnerability Let Hackers Compromise Billion of Devices

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Defend Ransomware Attacks With Top Effective Proactive Measures in 2024

We're currently living in an age where digital threats loom large. Among these, ransomware has…

19 mins ago

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

17 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

17 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

18 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

18 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

21 hours ago