Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A flaw in India Digilocker could’ve been exploited to bypass authentication

Any Indian DigiLocker Account Could’ve Been Accessed Without Password The Indian Government fixed a flaw in the secure document wallet service Digilocker that could have potentially allowed anyone’s access without password. The Indian Government announced to have fixed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker […]

digilocker hack

Any Indian DigiLocker Account Could’ve Been Accessed Without Password

The Indian Government fixed a flaw in the secure document wallet service Digilocker that could have potentially allowed anyone’s access without password.

The Indian Government announced to have fixed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker to sign in as other users.

DigiLocker is an online service provided by Ministry of Electronics and IT (MeitY), Government of India under its Digital India initiative. DigiLocker provides an account in cloud to every Aadhaar holder to access authentic documents/certificates such as driving license, vehicle registration, academic mark sheet in digital format from the original issuers of these certificates. It also provides 1GB storage space to each account to upload scanned copies of legacy documents. The service has over 38 million registered users.

The flaw have allowed to bypass mobile one-time passwords (OTP) and access to access the sensitive documents stored in the wallet of any user.

The security researcher Mohesh Mohan wrote a post to describe how he managed to gain access to platform containing over 3 Billion documents.

“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” wrote Mohan.

Mohan discovered that an attacker could access to any Digilocker account by simply knowing its Aadhaar ID or the associated mobile number or username.

Below the attack steps described by the expert:

  1. Attacker uses a valid user account that he has access and starts the login process by submitting phone number.
  2. Attacker completes the OTP validation with account (mobile number) he possesses.
  3. Attacker proceeds to submit the secret pin
digilocker hack

The researcher pointed out that the mobile Digilocker app uses a 4-digit PIN to implement an additional level of security. Anyway, it was able to modify the API calls to authenticate the PIN by associating the PIN to another user and access to the victim’s account.

Due to the poor session mechanism implemented to protect the APIs it is possible to exploit them to reset the PIN linked to a random user using its individual’s UUID.

“It was observed that the API calls from mobile were using basic authentication to fetch data or do transactions. All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH” continues the report.

“However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin)”

The expert also discovered a weak SSL pinning mechanism in mobile app.

The researchers reported his findings to CERT-In on May 10 and the isse was fixed on May 28.

“The nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account,” Digilocker added in a tweet last week acknowledging the flaw. “It was not a vulnerability that could let anyone get access to [the] DigiLocker account of anyone whose username and other details were not known.”

“Upon analysis, it was discovered that this vulnerability had crept in the code when some new features were added recently. The vulnerability was patched on a priority basis by the technical team within a day of getting the alert from CERT-In. This was not an attack on infrastructure, and no data, database, storage, or encryption was compromised.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – digilocker, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]