The government of India offers DigiLocker, an online service that allows individuals to store their documents digitally which has over 38.4 million (3.84 crore) users all over India.
Security researcher Ashish Gahlot discovered the vulnerability in the authentication system of the DigiLocker service last month that put the data of all its users at risk and existed in the sign-in process of the service. He said that this issue could have allowed hackers or other bad actors to bypass the two-factor authentication (2FA) and access sensitive personal data from the service.
He also notes that he reported the issue to the DigiLocker team shortly and all the issues have now been fixed now.
In his analysis, he found that he was able to bypass the default mechanism of a one-time password (OTP) and a PIN to log in to the service after adding the Aadhaar number and intercepting the connection to DigiLocker and changing the parameters. He notes that the flaw allowed anyone with enough technical skills to set up a new PIN and even access the DigiLocker account, without the need of any password.
DigiLocker is used to store important documents such as Aadhaar card, insurance letters, income tax (IT) returns, mark sheets by various state and central boards, and driving license issued by state governments.
It is handled by the National e-Governance Division (NeGD) that comes in under the Ministry of Electronics and Information Technology (MeitY) of India.