Latest Aadhaar leak exposes security flaws in app developed by NIC
Crucial security flaws in the eHospital app developed by the National Informatics Centre (NIC) gave a Bengaluru-based software developer access to the Aadhaar numbers and personal details of thousands of citizens, officials said.
These flaws meant the Universal Identification Authority of India (UIDAI) servers were unable to distinguish between legitimate requests for Aadhaar data from NIC’s eHospital app, and unauthorised requests from “Mygov”, a free android app created by the developer, Abhinav Srivastava.
When Srivastava was arrested on July 26 this year, his app had already been downloaded 50,000 times, while the flaws he exploited had been live for two years. It is unclear if Srivastava is the only one to allegedly exploit the NIC vulnerability, but a senior NIC official admitted that it was possible.
“Some harm would happen if loopholes are exploited,” a NIC official told HT. “If someone finds a bug, they should report to NIC rather than exploit it.”
The UIDAI did not reply to requests for comment.
NIC is a government body that builds and maintains the digital networks that link every department and ministry of India’s central and state governments, and also extends Aadhaar-enabled services for numerous welfare programmes. But in recent months, websites maintained by NIC have inadvertently published the Aadhaar numbers and financial details of millions of citizens.
The eHospital app reveals in a nutshell how the headlong push to digitise government services at the cost of cybersecurity can put the personal data of citizens at risk.
“NIC is the biggest government implementer of e-governance, it is an unpardonable offence that they have made such a huge mistake,” said Dr Sandeep Shukla, head of the Computer Science department at IIT Kanpur, “NIC is incompetent but unfortunately all government activities happen through NIC.”
“eHospital was started in 2015,” said the NIC official, “People didn’t have confidence in Aadhaar…so the idea was to demonstrate the power of Aadhaar.”
The app uses UIDAI’s ‘know your customer’, or eKYC service, to let patients book appointments at government hospitals. As eHospital was designed for in rural areas with poor connectivity, the official said, NIC prioritised performance over security.
When security experts analysed eHospital, they found the app did not encrypt its communication with NIC’s servers. Second, the password was hardcoded in the eHospital application.
“This meant anyone could figure out the password and use NIC servers to get information from UIDAI,” explained Anivar Aravind, a technology consultant who has analysed the code, “The UIDAI servers would assume that the request is coming from NIC and would provide the information.”
In effect, Srivastava could build a replica of eHospital and NIC’s own servers could not tell the difference. And as UIDAI trusts agencies like NIC to act as gatekeepers, it released personal data of citizens on request. As Srivastava controlled the app, he could record the eKYC data of everyone who used his app.
“The problem is we are creating a huge ecosystem,” said Shukla, the IIT professor, explaining that such problems are likely to multiply as private and government agencies offer more Aadhaar-enabled services. “UIDAI authorities have created core security and encryption mechanism very well, but as you go outwards into the ecosystem, your control over those entities starts loosening.”