DigiLocker bug risked info of over 38m accounts
The flaw in the DigiLocker app has been fixed now.
Government's DigiLocker app was found to have a bug that put the information of over 38 million account holders at risk by enabling hackers to easily surpass the app's authentication system.
The vulnerability was discovered by security researcher Ashish Gahlot, who detailed his findings in a post on Medium.
DigiLocker's authentication mechanism involves using a combination of an OTP and a six-digit PIN to log into the cloud-based document storage. Gahlot noted that though the app requires a two-step authentication process for logging, the process can be bypassed simply by adding the Aadhaar number and changing a bunch of parameters in the app. On doing so, he landed on a page which asks for setting a new PIN instead of typing in the previously set PIN.
“This not only changes the previous PIN of the user but also gives complete access to the Locker,” he wrote in the post.
The authentication flaw not only allows hackers to gain access to profiles without requiring a password but it also gives hackers complete access to specific user profiles as well.
As per a report by Gadgets 360, Gahlot reached out to the DigiLocker team and the security vulnerability has now been patched.