Security Researcher Elliot Anderson has discovered a huge leak of Aadhaar numbers from Indane’s website as well as app. The leak has put Aadhaar number of 6.7 million people at stake.
According to a report from TechCrunch, Indane Gas has apparently leaked the data of around 6.7 million subscribers through its website and app. The leak was discovered by an anonymous security researcher and was informed to Elliot Anderson (Robert Baptiste). Anderson has been investigating several leaks regarding the Aadhaar system for quite some time and is known to expose some of the biggest Aadhaar-related leaks last year.
The report states that Anderson undertook the examination of the case and found the leak in Indane’s distributor portal. The portal’s lack of authentication meant that Anderson was able to easily access critical data of almost 6.7 million subscribers. Anderson could extract details such as Aadhaar number, names, address and dealer ID. Anderson also discovered that the Indane Gas app for Android was also containing a loophole. Anderson developed a custom script that was able to get data for up to 11,000 dealers, which eventually led to the extraction of Aadhaar data of up to 5.8 million subscribers.
In a separate blog written by Anderson on medium.com, he states that the leak was reported to Indane but he didn’t get a reply. Hence the leak was made public. It is said that the page has been taken down now, but it’s not yet known how much damage the exposed endpoint has done, thus putting the data of an estimated 6.7 million Indane subscribers at risk.
So far, UIDAI hasn’t given out an official statement regarding the alleged leak reported by TechCrunch and Anderson. However, this proves once again that UIDAI’s system isn’t as secure as the agency assures from time-to-time. Not long ago, it was reported that the Jharkhand government accidentally left the Aadhaar data of thousands of government employees exposed due to some kind of lapse in security.