Critical Vulnerability on Indian State Government Website Leaks PII of Residents

An Indian state government has fixed security issues impacting its website that exposed the sensitive documents and personal information of millions of residents. The bugs existed on the Rajasthan government website related to Jan Aadhaar, a state program to provide a single identifier to families and individuals in the state to access welfare schemes. One of the bugs allowed anyone to access personal documents and information with knowledge of a registrant’s phone number. The state’s Jan Aadhaar portal, which launched in 2019, says it has more than 78 million individual registrants and 20 million families. The portal aims to offer “One Number, One Card, One Identity” to residents in the northern state of Rajasthan for accessing state government welfare schemes.

An Indian state government recently took action to address security concerns on its website, which had been exposing the sensitive documents and personal information of millions of residents.

The affected website belonged to the Rajasthan government and was related to their Jan Aadhaar program. This initiative aimed to provide a single identification number to individuals and families in the state, allowing them to access various welfare schemes. Unfortunately, the website had undisclosed vulnerabilities that put its users’ sensitive information at risk.

The security flaws – discovered by Viktor Markopoulos, a researcher from cybersecurity company CloudDefense.ai – were brought to the attention of TechCrunch in December. Markopoulos sought help from the media outlet to disclose the issues to the authorities.

Thanks to the intervention of the Indian Computer Emergency Response Team (CERT-In), the bugs were fixed last week.

One of the vulnerabilities enabled anyone with knowledge of a registrant’s phone number to access their personal documents and information. The other flaw allowed sensitive data to be retrieved due to the server not properly checking the validity of one-time passwords. Both issues posed serious threats to the privacy of the Jan Aadhaar registrants.

TechCrunch reached out to the Jan Aadhaar Authority of the Rajasthan government on December 22, and followed up a week later, but received no response. As a result, TechCrunch informed CERT-In about the bugs and confirmed with the agency on Thursday that the issues had been resolved.

“This is to inform you that we have received a response from the concerned authority that the reported vulnerability has been fixed,” CERT-In told TechCrunch. Markopoulos also confirmed the fix.

TechCrunch attempted to contact the Rajasthan government for a statement prior to publishing, but did not receive a response.

The Jan Aadhaar portal, which was launched in 2019, boasts over 78 million individual registrants and 20 million families. Its purpose is to provide “One Number, One Card, One Identity” to residents of the northern state of Rajasthan so they can access government welfare schemes. This differs from the regular Aadhaar card, which is available for enrollment to eligible individuals nationwide and is provided by the Unique Identification Authority of India (UIDAI) – an agency backed by the central government.