There have been many concerns over leaking Aadhaar data of Indian citizens but UIDAI keeps reassuring people that there is no cause for panic since the service is foolproof. However, the French security researcher Robert Baptiste, who is better known by his Twitter account name Elliot Alderson, has published an article detailing how the Indian Oil Corporation-owned Indane LPG provider Indane was leaking Aadhaar numbers and data of more than 5.8 million Indane gas users. The security researcher claims that Indane was leaking Aadhaar and other data of its customers due to lack of authentication in the company’s local dealers website.
In a tweet, Alderson revealed the development and later tweeted that in less than three hours of releasing the info, Indian Oil shut down the affected dealer portal. “We tried to contact them through multiple ways during days. Nobody answered,” his tweet states. As per Alderson’s blog post, he received the tip from someone on Twitter, where he was sent a URL of the affected domain. He found that there are no credentials in place to restrict unauthorised access to the local dealers portal on Indane’s website and it was showing names, addresses and the Aadhaar numbers of their customers.
A screenshot of the Indane Gas webpage that leaked private data of its customers (Via Elliot Alderson)
To figure out exactly how many users’ data was leaking, the security researcher developed a python script that can scrape the information from Indane’s servers. The script is said to have run for an entire day to obtain information on a total of 5,826,116 Indane customers. Soon after, the script stopped working and Alderson says it might be because his IP was blocked by Indane. Based on the time and amount of data his script managed to collect, he says that the final number of affected customers could be more than 67 lakh. There are finer details as to how the script worked, which you can read here on Elliot Alderson’s blog.
As per the researcher, he disclosed the vulnerability to Indane on February 15 and went ahead with the public disclosure today on February 19 as the company didn’t respond.
Update: Indian Oil has responded to the report that its servers were leaking Aadhaar data in a tweet. The company says there is "No Leak of Aadhaar Data" and that its software uses only the Aadhaar number for LPG subsidy transfer and so there is no Aadhaar data leak possible via IndianOil. The statement ends with "There is no Aadhaar number hosted on this website," where we presume that it is talking about the local dealers portal.
If you are an Indian citizen, there’s a high chance you have enrolled for an Aadhaar card and have a 12-digit random number issued by the Unique Identification Authority of India (UIDAI). There have been numerous concerns and reports of Aadhaar data of Indian citizens being leaked. In 2017, around 210 Central and State government departments' websites were reportedly displaying personal details and Aadhaar numbers of beneficiaries. In September last year, a report claimed that there is a software priced at Rs 2,500 that enables anyone from anywhere in the world to generate Aadhaar numbers.