Clarification about Reported Vulnerability on DigiLocker👇 pic.twitter.com/hEz19QJDsj
— DigiLocker (@digilocker_ind) June 2, 2020
For those who are unaware, DigiLocker is a Government-operated document wallet that saves your sensitive documents/certificates like driving license, vehicle registration, academic mark sheet, etc., on the cloud.
The critical vulnerability in DigiLocker was reported separately by two independent bug bounty researchers, Mohesh Mohan and Ashish Gahlot.
The flaw essentially allowed malicious actors with some technical knowhow to easily bypass the 2FA required to log into the application.
The login process could be manipulated with the help of basic user information from Aadhar Card and by intercepting and changing the parameters of the app’s connection to the server.
This means that unauthorized users could log in, create a new pin, and get unrestricted access to sensitive personal data stored on DigiLocker’s cloud server without even entering a password.
The vulnerability in DigiLocker was identified and reported last month and was partially fixed within a couple of days. But the OTP bypass issue was fixed yesterday only. So far, there are no reports of unauthorized access or misuse of user data.