An Indian state government has fixed security issues affecting its website that exposed sensitive documents and personal information of millions of residents.
The errors were on the Rajasthan government’s website about Jan Aadhaar, a state program to provide a unique identifier to families and individuals in the state to access welfare schemes. The bugs revealed copies of Aadhaar cards, birth and marriage certificates, electricity bills and income statements related to the registrants, as well as personal information such as their date of birth, gender and father’s name.
Security researcher Victor Markopoulos, who works for cybersecurity firm CloudDefense.ai, found the bugs in the Jan Aadhaar portal in December and asked TechCrunch for help in disclosing them to the authorities.
The bugs were patched last week through intervention by India’s Computer Emergency Response Team, or CERT-In.
One of the bugs allowed anyone to access personal documents and information by knowing a registrant’s phone number.
The other bug allowed sensitive data to be returned because the server wasn’t properly checking the validity of one-time passwords, the researcher explained.
TechCrunch contacted the Rajasthan government’s Jan Aadhaar Authority on December 22 and followed up a week later, but did not receive a response. TechCrunch subsequently shared the details of the bug with CERT-In, which confirmed on Thursday that the bugs had been fixed.
“We inform you that we have received a response from the relevant authority that the reported vulnerability has been patched,” the agency told TechCrunch. The researcher also confirmed the correction.
TechCrunch again reached out to the Rajasthan government for comment ahead of publication, but we have not heard back.
The state’s Jan Aadhaar portal, launched in 2019, says it has more than 78 million individual enrollees and 20 million families. The portal aims to provide ‘One Number, One Card, One ID’ to residents in the northern state of Rajasthan to access welfare schemes of the state. This is in contrast to the regular Aadhaar card, which is available for enrollment to eligible individuals across India and is provided by the central government-backed Unique Identification Authority, or UIDAI.
