https://www.outlookindia.com/website/story/french-security-researcher-lays-bare-aadhaar-details-of-lakhs-of-people-in-telan/308865
French Security Researcher Lays Bare Aadhaar Details Of Lakhs Of People In Telangana
The portal had account details including the Aadhaar numbers of 56 lakh beneficiaries of NREGA and 40 lakh of social security pension (SSP),
Image may be NSFW.
Clik here to view.
Clik here to view.
Amid raging debate surrounding Aadhaar data security, another major breach has come to light.
A French security researcher Baptiste Robert, who goes by 'Elliot Alderson' on twitter, on Sunday lay open Telangana government's benefit disbursement portal 'TSPost' exposing biometric details of a huge number of beneficiaries.
The portal had account details including the Aadhaar numbers of 56 lakh beneficiaries of NREGA and 40 lakh of social security pension (SSP), reportedTimes of India.
Advertisement opens in new window
In theory, a government website is very secure but in #India it's another story...tspost.aponline.gov.in is vulnerable to a basic SQL injection...Image may be NSFW.
Clik here to view.
Elliot used a basic hacking technique to break through the security wall. In theory, a government website is very secure but in #India it's another story...
http://tspost.aponline.gov.in is vulnerable to a basic SQL (structured query language) injection," he wrote on twitter.
http://tspost.aponline.gov.in is vulnerable to a basic SQL (structured query language) injection," he wrote on twitter.
"To be clear, all the data on this website can be a dump. Telangana government officials say they are working on to fix it. For this website, they have to hire decent web developers to protect it from attacks," he further added.
Advertisement opens in new window
The researcher said that he tweeted the breach only after a "reasonable delay" after reporting the matter to the site owners.
The site officials, however, fixed the breach by putting the system in offline mode. Elliot tweeted in the evening: "I don't know if I have to laugh or cry. http://tspost.aponline.gov.in owners fixed the issue by putting offline the website."
I don't know if I have to laugh or cry. tspost.aponline.gov.in owners fixed the issue by putting offline the website Image may be NSFW.
Clik here to view.
A TSPost official, while talking to the paper, said that the site is expected to get back by Tuesday evening.
Advertisement opens in new window
This comes at a time when several data breaches have been reported from different quarters of the country.
An investigative report titled "Rs 500, 10 minutes, and you have access to billion Aadhaar details"by The Tribune had revealed that details of Aadhaar is easily accessible, that too just by paying Rs 500.
According to the newspaper, its reporter purchased a service by anonymous sellers on WhatsApp and paid Rs 500 via Paytm to an agent of the group running a racket. The agent then created a “gateway” for the reporter and gave a login ID and password, thus giving unrestricted access to details, including name, address, postal code (PIN), photo, phone number and email, of more than 1 billion Aadhaar numbers submitted to the UIDAI, the Aadhaar issuing body.