An ethical French hacker claims to have found a vulnerability on the Indian state-owned gas agency’s website, Indane, which has exposed nearly 6 million Aadhaar numbers of dealers, customers and distributors.
Elliot Alderson wrote a blog post on 18 February, in which he detailed how he got alerted about a vulnerability on a web portal meant for local dealers through a private message. The exposed data includes names, Aadhaar numbers and addresses of the customers.
The cyber security researcher looked at an Android app of the Indane, and there he found “Locate Your Distributor” feature, and this option let you find the ids of the dealers of the corresponding “bgadistrict”. With the dichotomy method he was able to easily find out the ids of all the dealers in 714 bgadistrict.
“Great, time to code! We have everything we need to get the size of this leak. Thanks to the endpoint found in the Android app, we will obtain all the valid dealer ids and then we will scrape all the “Total records” in the local dealer portal,” Alderson wrote.
He wrote a python script, and then executed the script, which fetched him 11062 valid dealer ids. “After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.”
Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200,” Alderson further added.
However, Indane has refused to acknowledge the data leak, meanwhile Anderson has snapped back with a meme at the gas agency. UIDAI did not respond to the data leak reports.