ADVERTISEMENT
Twitter user chips at mAadhaar, uncovers security holes
DH Web Desk
Last Updated IST
Elliot Anderson, who goes by the handle fs0c131y, took a peak into the mAadhaar app and found several glaring flaws in the app's security.
Elliot Anderson, who goes by the handle fs0c131y, took a peak into the mAadhaar app and found several glaring flaws in the app's security.


<

On deeper inspection, Anderson found that the app saves the users' biometric data on the local database, whose password is generated using a random number with a hardcoded string with 123456789 as the seed.

ADVERTISEMENT

Which was found to be the exact same code posted by a user on stack overflow as part of their query:

Anderson then suggested removing the developer endpoint from the release application.

When the Aadhaar autopsy started to pick up steam on social media, Anderson was hit with a string of questions about the manner in which the password is generated. To that, Anderson posted a POC on github detailing the process:

Anderson looked into the official documentation and learnt that the app stores the user's ID, Aadhaar number, name, date of birth, address, gender and photo.

Eventually, after a lot of digging, Anderson found the password salt used by the Aadhaar app, which was embarrasing, to say the least:

Anderson decided to contact Khosla Labs, the company that made the Aadhaar app, to show them some of their glaring mistakes and oversights:

ADVERTISEMENT
(Published 12 January 2018, 13:40 IST)