Researcher finds a flaw in the Indian government’s DigiLocker App which could have allowed any hacker to access it without a password
If you are an Indian, you probably know about the Digilocker App. The Digilocker App is available to all Indians to store their vital papers, licenses, and certificates in a remote location and recall them wherever required. For example, if you save your driving license to the Digilocker App and you are caught by a traffic policeman, you can show the cop your Digilocker copy of the license. Digilocker App has nearly 40 million users and can be accessed via the user’s mobile number and Aadhar ID.
A security researcher, Mohesh Mohan found a critical vulnerability in the way Digilocker handles One-Time-Passwords (OTPs). Mohan discovered that any potential hacker could bypass the mobile one-time passwords (OTP) and sign in as the victim and access victim’s sensitive documents stored on the platform.
To exploit this particular vulnerability, the wannabe hacker needs to know is either victim’s Aadhaar ID or linked mobile number or username. Once, the hacker has those he/she can manipulate the flaw to bypass the sign-in process.
Mohan reached out to Cert-IN about the vulnerability. Cert-In acknowledged the vulnerability and has since patched it on 28th May. Cert-In tweeted about the update:
Clarification about Reported Vulnerability on DigiLocker👇 pic.twitter.com/hEz19QJDsj
— DigiLocker (@digilocker_ind) June 2, 2020
According to the Cert-In, the vulnerability could only be exploited if the hacker knew the Aadhar ID and the linked mobile number of the victim. It also said that there are no reports of the vulnerability being exploited in the wild. It has now patched the flaw and now you can only activate your Digilocker once you have the OTP. You can read the entire Proof of Concept for the vulnerability on Mohan’s blog here.