Critical DigiLocker Vulnerabilities Put 3.8 Crore Users at Risk: Researcher - keatonhalk1956

The Indian government's 'DigiLocker' online cloud service reportedly had a critical authentication flaw that could give potentially allowed hackers to access personal data of 38 million (3.8 crore) users. That's according to cyber-security department researcher, Ashish Gahlot, who says he discovered the exposure while analyzing its weapons platform's hallmark mechanism.

In a careful post happening Medium, He claimed that the vulnerability allowed him to intercept the connection and bypass the authentication with just a simple script. Accordant to him: "Sol we can just compose a python script … and by exactly lettered the username we can change the password of ANY USER".

As IT turns out, the flaw allowed anyone with decent skills to change the PIN of someone else's account even without a password. The flaw could also have potentially allowed malicious actors to take aim concluded user profiles by bypassing the OTP process and modifying the response victimisation an automated book to intercept the connection between the client twist and the DigiLocker server.

Thankfully, both the flaws are now said to give birth been fixed. Gahlot says He contacted the DigiLocker team with his findings on May 16th. While the OTP loophole was obstructed merely a couple of days later on May 18th, the PIN bypass exposure was fixed on June 1st.

The flaws in the DigiLocker arrangement have directly been fixed, but the developments shut up raise more questions roughly the security of government-run digital platforms in the country. While Aadhaar has suffered multiple security breaches since its inception, the recently open sourced COVID-19 contact tracing app, Aarogya Setu, likewise reportedly has severe certificate loopholes that might jeopardize the privacy of unsuspecting users.