A security researcher, Ashish Gahlot has discovered a vulnerability in the DigiLocker App that would allow attackers to takeover account of users by changing the passwords just with the username alone.
DigiLocker is an app developed by Government that let users store digital copies of legal documents like Adhar, Driving License, PAN Card, etc in users’ smartphone.
The vulnerability found in the app put accounts of about 3.8 crore people at risk.
Ashish Gahlot found the vulnerability while going through the authentication mechanism of the DigiLocker app. By intercepting the connection to DigiLocker with only Aadhaar, he was able to bypass the OTP and PIN authentication that is required to login to account.
In short, the vulnerability in this mechanism would allow attackers to set up a new PIN and access the account bypassing OTP and PIN verification. All this is done by changing the parameters and intercepting the connection to DigiLocker servers.
Ashish reported the issue to the DigiLocker team on the 16th of May and the OTP vulnerability was fixed on the 18th of May and PIN bypass vulnerability on the 1st of June. Following the fix, DigiLocker took it to Twitter to announced the clarification about the reported vulnerability.
Ashish, the security researcher who discovered the vulnerability detailed his study regarding the same in a Medium post.
As per DigiLocker National Statistics, DigiLocker is currently having 38.10 million registered users, 3.75 billion issued authentic documents, 155 issuer organizations, and 44 requestor organizations. In total there are 389 documents supported by DigiLocker ranging from PAN card to Driving License and a lot more. By default, DigiLocker grants 1GB of space for each registered user.
Series of other government apps like the recently introduced Arogya Setu, Aadhaar, etc were found to be vulnerable to different sorts of attacks. Now DigiLocker is yet another app to be featured on the list.