Why would someone bother to hack a so-called “ultra-secure encrypted database that is being protected behind 13 feet high and 5 feet thick walls,” when one can simply fetch a copy of the same data from other sources.
French security researcher Baptiste Robert, who goes by the pseudonym “Elliot Alderson” on Twitter, with the help of an Indian researcher, who wants to remain anonymous, discovered that the official website of popular state-owned LPG gas company Indane is leaking personal details of its millions of customers, including their Aadhaar numbers.
This is not the first time when an unprotected third-party database has leaked Aadhaar details of Indian citizens, which is a unique number assigned to each citizen as part of India’s biometric identity programme maintained by the government’s Unique Identification Authority of India (UIDAI).
Earlier this week an anonymous Indian researcher initially discovered a loophole in the Indane’s online dealers portal that could allow anyone to access hundreds of thousands of customers data associated with their respective dealers without requiring any authentication.
“Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers,” Robert wrote in a blog post on Medium late Monday.
To avoid getting into trouble from Indian authorities, the researcher shared his findings with Robert, who previously gained fame for exposing numerous Aadhaar-related leaks and security weaknesses in other Indian website and services.
After analyzing the issue, Robert discovered that attackers can actually fetch millions of Indian citizens data from the Indane website if they know every dealer’s username, which he later found using another vulnerability in the Indane’s official mobile app.
The mobile app vulnerability allowed Robert to find 11,062 valid dealer IDs, out of which he used 9490 IDs against the online dealers portal to fetch personal data of 5.8 million users, including their Aadhaar numbers, names and residential addresses.
“Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200,” Robert says.
Robert shared his findings with Indane, an LPG brand owned by the Indian Oil Corporation, on 15th February, and made the public disclosure on 19th February after receiving no response from the company.