Bug Found In Indian DigiLocker: Anyone Can Access Your Account

Bug Found In Indian DigiLocker: Anyone Can Access Your Account

The secure document wallet service DigiLocker have found a vulnerability. The Indian Government said it could let the attackers send the mobile one-time passwords (OTP) and sign-in in the account.

Any Indian DigiLocker Account Could’ve Been Accessed Without Password

Bug Found In Indian DigiLocker: Anyone Can Access Your Account
Bug Found In Indian DigiLocker: Anyone Can Access Your Account

The two researchers, Mohesh Mohan and Ashish Gahlot, have found the bugs. The vulnerability could have used so easily to unauthorised access documents uploaded by the targeted users on the Government platform.

The researchers, Mohesh Mohan, said, “The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user.”

All the attacker needs to know the Aadhaar ID or linked mobile number or username of the victim to unauthorised access a targeted Digilocker account. Urging the service to send an OTP and use the flaw to bypass the sign-in process.

However, the mobile version of the app comes with a 4-digit PIN for security. The researchers say it was possible to modify the API calls to authenticate PIN by joining the PIN to another user and login in the app as a victim.

Digilocker has more than 38 million registered users. It is a cloud-based digital platform to promote online processing of documents and delivery of different government-to-citizen services. The user’s mobile number and Aadhar card number is linked in the app.

Bug Found In Indian DigiLocker: Anyone Can Access Your Account
Bug Found In Indian DigiLocker: Anyone Can Access Your Account

Moreover, the API calls from the mobile apps are secured by basic authentication, which can be avoided by removing a header flag “is_encrypted: 1.”

In a tweet, Digilocker said, “The nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account.” “It was not a vulnerability that could let anyone get access to [the] DigiLocker account of anyone whose username and other details were not known.”

The post Bug Found In Indian DigiLocker: Anyone Can Access Your Account appeared first on TechViral.

Clyec unscramble
Featured

Unleashing the Power of “Clyec Unscramble”: A Guide to Boosting Your Word Game Skills

Clyec unscramble Word games can be both entertaining and challenging, pushing our linguistic abilities to the limit. One fascinating technique that can enhance your word game prowess is “Clyec unscramble.” In this article, we will delve into the world of unscrambling words using the Clyec method, unraveling its benefits, and providing practical tips to improve […]

Read More
Clever.com sign in
Featured

Clever.com sign in

Clever.com sign inFounded by educators and technologists passionate about improving education, Clever is on a mission to unlock new ways to learn for all students. Already used by more than 65% of U.S. K-12 schools, Clever brings all applications into one secure portal and provides single sign-on for everyone.Apr 11, 2023 · AN optical illusion […]

Read More
Chinese stores nearby
Featured

Michigan businesses with Chinese ownership

Chinese stores nearby At a Nexteer Automotive factory in Buena Vista Township, Becky Little, a resident of Buena Vista Township, assembles a steering column. One of eight Chinese-owned businesses in Michigan (excluding retail) is Nexteer. Posted by Jeff Schrier on MLive.com SHENZHEN — According to Rhodium Group’s China investment watch, Chinese corporations have made over […]

Read More