Hackers Could Access 38 Million Indian DigiLocker Accounts Without Password

The Indian Government has acknowledged that the secure document wallet service ‘Digilocker’ could have allowed hackers to bypass mobile OTP and sign in as other users without requiring passwords. This could have allowed easy unauthorized access to sensitive documents uploaded by Indians on the Government-operated platform.

Clarification about Reported Vulnerability on DigiLocker👇 pic.twitter.com/hEz19QJDsj

— DigiLocker (@digilocker_ind) June 2, 2020

For those who are unaware, DigiLocker is a Government-operated document wallet that saves your sensitive documents/certificates like driving license, vehicle registration, academic mark sheet, etc., on the cloud.

The critical vulnerability in DigiLocker was reported separately by two independent bug bounty researchers, Mohesh Mohan and Ashish Gahlot.

The flaw essentially allowed malicious actors with some technical knowhow to easily bypass the 2FA required to log into the application.

The login process could be manipulated with the help of basic user information from Aadhar Card and by intercepting and changing the parameters of the app’s connection to the server.

This means that unauthorized users could log in, create a new pin, and get unrestricted access to sensitive personal data stored on DigiLocker’s cloud server without even entering a password.

The vulnerability in DigiLocker was identified and reported last month and was partially fixed within a couple of days. But the OTP bypass issue was fixed yesterday only. So far, there are no reports of unauthorized access or misuse of user data.