Security flaw in app exposes Aadhaar data vulnerability
NEWDELHI: Crucial security flaws in the e-hospital app developed by the National Informatics Centre (NIC) gave a Bengalurubased software developer access to the Aadhaar numbers and personal details of thousands of citizens, officials said.
These flaws meant the Universal Identification Authority of India (UIDAI) servers were unable to distinguish between legitimate requests for Aadhaar data from NIC’s e-hospital app, and unauthorised one MyGov, a free android app developed by Abhinav Srivastava. When Srivastava was arrested on July 26, his app had already been downloaded 50,000 times, while the flaws he exploited had been live for two years. It is unclear if Srivastava is the only one to have allegedly exploited the vulnerability, though a senior NIC official admitted it was possible.
“Some harm would happen if loopholes are exploited,” the official told HT. “If anyone finds a bug, they should report it to NIC rather than exploit it.”
The UIDAI did not reply to requests for comment.
NIC is a government body that builds and maintains the digital networks that link every department and ministry of central and state governments, and extends Aadhaar-enabled services for numerous welfare programmes. Of late, several websites maintained by it have inadvertently published Aadhaar numbers and financial details of citizens.
The e-hospital app reveals in a nutshell how the headlong push to digitise government services at the cost of cybersecurity can put citizen’s personal data at risk. “NIC is the biggest government implementer of e-governance. It’s an unpardonable offence that they have made such a huge mistake,” said Dr Sandeep Shukla, head of the Computer Science department at IIT Kanpur. “NIC is incompetent but unfortunately all government activities happen through it.”
“e-hospital was started in 2015,” the NIC official said. “People didn’t have confidence in Aadhaar, so the idea was to demonstrate the power of Aadhaar.”
The app uses UIDAI’s ‘know your customer’, or eKYC, service, to let patients book appointments at government hospitals. As e-hospital was designed for rural areas with poor connectivity, the official said, NIC prioritised performance over security.
When security experts analysed the app, they found it did not encrypt its communication with NIC’s servers. Secondly, the password was hardcoded.
“This meant anyone could figure out the password and use NIC servers to get information from UIDAI,” said Anivar Aravind, a technology consultant who analysed the code. “UIDAI servers would assume that the request was coming from NIC and provide the information.”
In effect, Srivastava could build a replica of e-hospital and NIC’s own servers could not tell the difference. And as UIDAI trusts agencies like NIC to act as gatekeepers, it released personal data of citizens on request.