A security researcher discovered and reported security vulnerabilities on the Rajasthan government website related to Jan Aadhaar, a state program providing a unique identifier for residents accessing welfare schemes. The bugs exposed copies of sensitive documents, including Aadhaar cards, birth and marriage certificates, electricity bills, and income statements. The issues, resolved with the intervention of CERT-In (Indian Computer Emergency Response Team), raised concerns about the exposure of personal information of millions of individuals.
Discovery of Bugs: Security researcher Viktor Markopoulos identified security flaws on the Jan Aadhaar portal in December, exposing sensitive documents and personal information. The vulnerabilities were brought to the attention of TechCrunch for responsible disclosure.
Nature of Bugs: The identified vulnerabilities included a flaw that allowed unauthorized access to personal documents and information when the registrant’s phone number was known. Another bug enabled the retrieval of sensitive data due to the server’s improper validation of one-time passwords.
Impact: The security issues posed significant risks as they potentially exposed Aadhaar cards, birth and marriage certificates, and financial documents. Personal details, such as date of birth, gender, and father’s name, were also at risk.
Intervention by CERT-In: Following the responsible disclosure, CERT-In intervened to address the vulnerabilities on the Rajasthan government website. The agency confirmed the resolution of the bugs, highlighting the effectiveness of collaborative efforts between security researchers and authorities.
Jan Aadhaar Portal: Launched in 2019, the Jan Aadhaar portal is a state initiative in Rajasthan providing a single identifier to residents for accessing government welfare schemes. The portal boasts over 78 million individual registrants and 20 million families.
One Number, One Card, One Identity: The Jan Aadhaar program aims to streamline access to state government welfare schemes by offering a unified identifier, emphasizing “One Number, One Card, One Identity” for residents in Rajasthan.
The resolution of security vulnerabilities on the Jan Aadhaar portal underscores the importance of timely identification and remediation of flaws in government systems. The collaboration between security researchers, media, and authorities, as demonstrated in this case, plays a crucial role in enhancing the overall security posture and protecting the sensitive information of citizens.