Indian Government Addresses Security Flaw in Digilocker Service
The Indian Government has confirmed the resolution of a significant vulnerability within its secure document wallet service, Digilocker. This flaw potentially allowed unauthorized remote access, enabling attackers to bypass mobile one-time passwords (OTPs) and gain unauthorized sign-in access to other users’ accounts.
Independent researchers Mohesh Mohan and Ashish Gahlot uncovered this vulnerability, which posed a serious threat to the privacy and security of nearly 38 million registered users. Exploitation of the flaw could have granted attackers unauthorized access to sensitive documents stored on the government platform, significantly compromising user privacy.
Mohan, in a detailed disclosure shared with The Hacker News, explained that the OTP validation process on Digilocker lacked sufficient authorization checks. This oversight made it possible to validate an OTP using any valid user’s information, thereby manipulating the sign-in process to impersonate a different user. The potential implications of this oversight are particularly alarming given the sensitive nature of the documents stored within the system, which are linked to users’ mobile numbers and Aadhar IDs—unique identification numbers issued to Indian citizens.
The vulnerability’s mechanics reveal that an attacker only needed to know a target’s Aadhar ID, linked mobile number, or username to prompt the issuance of an OTP, thus exploiting the deficiency to circumvent the sign-in procedure altogether. Furthermore, although the mobile version of Digilocker includes a 4-digit PIN for additional security, researchers found it feasible to manipulate API calls to authenticate the PIN of a different user, thereby gaining unauthorized access.
Mohan elaborated that anyone could utilize the OTP verification of one user and submit the PIN details of another, effectively logging in as the second individual. This situation indicates a critical oversight in the API’s design, as the lack of session-related information allowed for unauthorized PIN resets associated with any user’s UUID.
Additionally, security measures within the mobile application, such as basic authentication, were found to be easily bypassable. The application was also criticized for its insufficient SSL pinning, which is essential for protecting data in transit from various network attacks. After being reported to the Indian Computer Emergency Response Team (CERT-In), the vulnerability was patched within 18 days, highlighting an urgent response to this significant security flaw.
In a statement addressing the issue, Digilocker acknowledged the nature of the vulnerability, noting that an attack could compromise an account if the attacker knew specific details about the user. However, the organization emphasized that the vulnerability did not allow indiscriminate access to all accounts and reassured users that there was no compromise to overall infrastructure or data integrity during the incident.
This incident underscores the importance of robust security measures and continuous vigilance in the face of evolving cyber threats. Business owners and cybersecurity professionals should take note of the techniques leveraged in this breach, particularly those relating to initial access and vulnerability exploitation as outlined in the MITRE ATT&CK framework. By understanding these tactics, organizations can better prepare and fortify their defenses against similar vulnerabilities in their systems.
