An Indian state government has fixed security issues affecting its website that exposed sensitive documents and personal information of millions of residents.
The errors were present on the Rajasthan government’s website regarding Jan Aadhaar, a government program to provide a single identifier for families and individuals in the state to access social welfare programmes. The errors revealed copies of Aadhaar cards, birth and marriage certificates, electricity bills and income data relating to registrants, as well as personal information such as their date of birth, gender and father’s name.
Security researcher Victor Markopoulos, who works for cybersecurity firm CloudDefense.ai, discovered the bugs in the Jan Aadhaar portal in December and asked TechCrunch to help disclose them to authorities.
The bugs were fixed last week through the intervention of the Indian Computer Emergency Response Team, or CERT-In.
One bug allowed anyone to access documents and personal information by knowing the registrant’s phone number.
The researcher explained that the other error allowed sensitive data to be returned because the server was not properly validating one-time passwords.
TechCrunch reached out to the Rajasthan government’s Jan Aadhaar Authority on December 22 and followed up a week later, but did not receive a response. TechCrunch then shared details of the flaw with CERT-In, which confirmed on Thursday that the flaw had been fixed.
“This is to inform you that we have received a response from the relevant authority that the reported vulnerability has been fixed,” the agency told TechCrunch. The researcher also confirmed the reform.
TechCrunch again reached out to the Rajasthan government for comment before publication, but we did not hear back.
The state’s Jan Aadhaar portal, which was launched in 2019, says it has more than 78 million individual registrants and 20 million families. The portal aims to provide “one number, one card, one identity” to residents of northern Rajasthan to access social welfare programs offered by the state government. This is in contrast to the regular Aadhaar card, which is available for registration to eligible individuals across India and provided by the central government-backed Unique Identity Authority, or UIDAI.