DigiLocker is a digital online store where the government allows us to hold data and files digitally. But, recently, a security expert has discovered a new vulnerability in DigiLocker that has compromised over 3.8 crore accounts.
It is an authentication flaw that has put the core of users’ data at risk. Initially, this issue was first identified by a security researcher Ashish Ghalot last month and survived in the sign-in method of the service.
This kind of vulnerability helps the hackers to evade two-factor authentication and get access to some delicate private information of the users, but now the flaw has been already determined and fixed.
Well, Ashish Ghalot had found the flaw in the DigiLocker when he was analyzing the authentication mechanism. Moreover, he also stated that he obtained the default mechanism, which asks for a one-time password that is (OTP) and a PIN to log in to the digital storage.
After getting the OTP, he was capable of circumventing the authentication mechanism after putting an Aadhaar number and preventing the link to DigiLocker, simply modify the parameters.
Including over 38 million enrolled users, DigiLocker is a cloud-based locker that serves as a digital platform to help in several online processing of records and faster performance of different government-to-citizen assistance. More importantly, DigiLocker is connected to a user’s mobile number and Aadhar ID (a unique identity number (UID) assigned to every citizen of India).
Apart from Ashish Ghalot, other security experts have also investigated this vulnerability of DigiLocker, and they also found the main reason behind this flaw and will clarify everything soon.
On May 10, the security researcher, Ashish Ghalot, summarized all his findings to CERT-IN, and the issue was determined on May 28. Here are, the detailed analysis that are discovered by the Ashish Ghalot in this event:-
The first finding is the OTP bypass due to lack of authorization, and the lack of authorization makes the situation more comfortable for the attacker. And it becomes easy to implement OTP validation by presenting any valid users’ details and then manipulation flow to log in as a completely distinct user.
Next, we have the secret PIN Bypass/takeover, well it’s one of the flaws, which is also marked as critical findings. As any API/URL pin easily help the hackers to reset an utterly new pin of any users without any authentication. In short, it’s one of the easiest ways to compromise the user data, and that’s the reason for which it was marked s critical.
After that, we have the ‘poor session mechanism in APIs,’ it’s one of the findings that was marked as high. And in this finding, you will perceive that API calls from mobile were utilizing primary authentication to retrieve any data or do any sought of transactions.
More importantly, all the calls get encrypted, which implies that every user has to present their credentials, which is on a basic authentication format that is also encrypted with the algorithm: AES/CBC/PKCS5Padding.
Lastly, we have the poor SSL pinning mechanism in the mobile app, and in this finding, the app uses the weak SSL pinning, which can be bypass efficiently with devices like Frida and also some acknowledged methods as well.
According to the Digilocker, the essence of the vulnerability was so strong that an individual’s DigiLocker account could probably get arbitrated if the attacker perceived the username for that appropriate account. So, the flaw was covered on preference data, and the technical team started receiving an alert from CERT-IN.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Also Read:
Critical Bug in Traffic Light Controller Let Hackers to Control Traffic lights Remotely
Zoom Vulnerability Allow Attackers to Hack Victim Machine via Chat Messages
Critical Bluetooth Vulnerability Let Hackers Compromise Billion of Devices
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…