DigiLocker Flaw Put Over 3.8 Crore Accounts at Risk: Researcher

The DigiLocker team has now fixed the issue.

DigiLocker Flaw Put Over 3.8 Crore Accounts at Risk: Researcher

DigiLocker has over 3.84 crore registered users

  • DigiLocker was found to have a flaw in its authentication mechanism
  • It allowed anyone to gain access to user accounts
  • DigiLocker team was told about the vulnerability last month

DigiLocker, an online service from the government that allows individuals to store documents digitally, was found to have an authentication flaw, putting the data of crores of users at risk. The issue was first discovered by a researcher last month and existed in the sign-in process of the service. This could have allowed bad actors to bypass the two-factor authentication and access sensitive personal information. The flaw has now been fixed. Notably, the online facility by the government has over 3.84 crore users.

A security researcher, Ashish Gahlot, discovered the vulnerability in the DigiLocker system while analysing its authentication mechanism. The researcher found that although the default mechanism asks for a one-time password (OTP) and a PIN to log in to the digital storage, he was able to bypass the authentication after adding an Aadhaar number and intercepting the connection to DigiLocker and changing the parameters, as explained by the researcher in a post on Medium.

The authentication flaw allowed anyone with sufficient technical skills to set up a new PIN and even access the DigiLocker account, without requiring any passwords. The flaw could also allow attackers to acquire a user profile by bypassing the OTP process and modifying the response using an interception tool.

Gahlot discovered the vulnerability last month and reported it to the DigiLocker team shortly. The team fixed the PIN bypassing issue in a couple of days, however, the OTP bypass issue was resolved on Monday.

In a statement released late-Tuesday, DigiLocker team acknowledged the vulnerability and said that it had "crept" in the code when new features were added to the platform recently. The team also claimed an attacker could only compromise the account of a DigiLocker user if they had the username of that account. Further, the team mentioned that no data was compromised because of the said vulnerability. As we mentioned earlier, the flaw is now patched.

As per the latest statistics available on the DigiLocker site, there are more than 3.84 crore registered users on the platform. It also issued over 375 authentic documents and has a total of 155 issuer organisations and 45 requestor organisations. The platform is used to store documents such as Aadhaar card, insurance letters, income tax (IT) returns, mark sheets by various state and central boards, and driving licence issued by state governments. Moreover, it is handled by the National e-Governance Division (NeGD), led by the Ministry of Electronics and Information Technology (MeitY).

Editor's Note: Updated with response from DigiLocker team.

In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jagmeet Singh
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a principal correspondent for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Coronavirus-Tracking App Angers Thousands in Moscow With Fines
Asus TUF Series Laptops, ROG Series Desktops With AMD Ryzen CPUs, Nvidia GPUs Launched in India: Price and Specifications
Read in: हिंदी
Share on Facebook Tweet Snapchat Share Reddit Comment



© Copyright Red Pixels Ventures Limited 2022. All rights reserved.