The two researchers, Mohesh Mohan and Ashish Gahlot, have found the bugs. The vulnerability could have used so easily to unauthorised access documents uploaded by the targeted users on the Government platform.
The researchers, Mohesh Mohan, said, “The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user.”
All the attacker needs to know the Aadhaar ID or linked mobile number or username of the victim to unauthorised access a targeted Digilocker account. Urging the service to send an OTP and use the flaw to bypass the sign-in process.
However, the mobile version of the app comes with a 4-digit PIN for security. The researchers say it was possible to modify the API calls to authenticate PIN by joining the PIN to another user and login in the app as a victim.
Digilocker has more than 38 million registered users. It is a cloud-based digital platform to promote online processing of documents and delivery of different government-to-citizen services. The user’s mobile number and Aadhar card number is linked in the app.
Moreover, the API calls from the mobile apps are secured by basic authentication, which can be avoided by removing a header flag “is_encrypted: 1.”
In a tweet, Digilocker said, “The nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account.” “It was not a vulnerability that could let anyone get access to [the] DigiLocker account of anyone whose username and other details were not known.”