Search

DigiLocker Flaw Put Over 3.8 Crore Accounts at Risk: Researcher

The DigiLocker team has now fixed the issue.

Advertisement
Highlights
  • DigiLocker was found to have a flaw in its authentication mechanism
  • It allowed anyone to gain access to user accounts
  • DigiLocker team was told about the vulnerability last month
DigiLocker Flaw Put Over 3.8 Crore Accounts at Risk: Researcher

DigiLocker has over 3.84 crore registered users

DigiLocker, an online service from the government that allows individuals to store documents digitally, was found to have an authentication flaw, putting the data of crores of users at risk. The issue was first discovered by a researcher last month and existed in the sign-in process of the service. This could have allowed bad actors to bypass the two-factor authentication and access sensitive personal information. The flaw has now been fixed. Notably, the online facility by the government has over 3.84 crore users.

A security researcher, Ashish Gahlot, discovered the vulnerability in the DigiLocker system while analysing its authentication mechanism. The researcher found that although the default mechanism asks for a one-time password (OTP) and a PIN to log in to the digital storage, he was able to bypass the authentication after adding an Aadhaar number and intercepting the connection to DigiLocker and changing the parameters, as explained by the researcher in a post on Medium.

The authentication flaw allowed anyone with sufficient technical skills to set up a new PIN and even access the DigiLocker account, without requiring any passwords. The flaw could also allow attackers to acquire a user profile by bypassing the OTP process and modifying the response using an interception tool.

Gahlot discovered the vulnerability last month and reported it to the DigiLocker team shortly. The team fixed the PIN bypassing issue in a couple of days, however, the OTP bypass issue was resolved on Monday.

In a statement released late-Tuesday, DigiLocker team acknowledged the vulnerability and said that it had "crept" in the code when new features were added to the platform recently. The team also claimed an attacker could only compromise the account of a DigiLocker user if they had the username of that account. Further, the team mentioned that no data was compromised because of the said vulnerability. As we mentioned earlier, the flaw is now patched.

As per the latest statistics available on the DigiLocker site, there are more than 3.84 crore registered users on the platform. It also issued over 375 authentic documents and has a total of 155 issuer organisations and 45 requestor organisations. The platform is used to store documents such as Aadhaar card, insurance letters, income tax (IT) returns, mark sheets by various state and central boards, and driving licence issued by state governments. Moreover, it is handled by the National e-Governance Division (NeGD), led by the Ministry of Electronics and Information Technology (MeitY).

Editor's Note: Updated with response from DigiLocker team.


In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

 
Show Full Article
Please wait...
Advertisement
Popular Mobile Brands
  1. Motorola Edge 60 Series With 50-Megapixel Triple Cameras Debuts
  2. Realme 14T 5G With MediaTek Dimensity 6300 Chip Debuts in India: See Price
  3. OTT Releases this Week: Jewel Thief, MAD Square, Havoc, and More
  4. Motorola Razr 60 Series Debuts With Snapdragon 8 Elite SoC, AI Features
  5. Redmi Turbo 4 Pro With 7,550mAh Battery, Snapdragon 8s Gen 4 Launched
  6. Samsung Galaxy S25 Edge Could Be Launched on This Date
  7. Moto Buds Loop Open-Ear Earbuds Lauched Alongside Moto Watch Fit
  8. iPhone 17 Air With Ultra-Slim Design Spotted via These Leaked Dummy Units
  9. Remedy's Co-Op Shooter FBC Firebreak Launches June 17
  10. Vivo's FunTouch OS 15 Update Brings These New AI Features
  1. Oppo K13 5G Goes on Sale in India for the First Time Today: Price, Specifications, Sale Offers
  2. Nintendo Switch 2 Keeps Up Fast Pace With US Pre-Order Sellout
  3. Remedy's Co-Op Shooter FBC Firebreak Launches June 17; Pricing, Editions Detailed
  4. Moto Buds Loop Open-Ear Bose-Tuned Earbuds Launched, Moto Watch Fit Tags Along
  5. Crypto Price Today: Bitcoin Price Hovers Around $93,000 as Altcoins Face Market Volatility
  6. Google Says Deep AI Investments Powering Ad Sales, Soothing Anxious Investors
  7. iPadOS 19 May Reportedly Bring macOS-Style Menu Bar, Stage Manager 2.0; iPhone to Get External Display Support
  8. Realme 14T 5G With 6,000mAh Battery, MediaTek Dimensity 6300 SoC Launched in India: Price, Specifications
  9. Reddit's AI-Powered Answers Chatbot Is Now Available to Users in India
  10. Samsung Galaxy S25 Edge Reportedly Set to Launch in May; Pricing Leaked Ahead of Galaxy Unpacked Event
Gadgets 360 is available in
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.
Trending Products »
Latest Tech News »