[BreachExchange] Vulnerability In DigiLocker Could Have Allowed Access To Over 3 Billion Documents

Destry Winant destry at riskbasedsecurity.com
Thu Jun 11 10:23:58 EDT 2020


The Indian government has fixed a critical vulnerability in its secure
document wallet service ‘DigiLocker’ that could have allowed access
over 3 billion documents.

For those unaware, DigiLocker is an online service provided by the
Ministry of Electronics and IT (MeitY), Government of India under its
Digital India initiative.

DigiLocker provides an account in the cloud to every Aadhaar holder to
access authentic documents/certificates such as driving license,
vehicle registration, academic mark sheet in digital format from the
original issuers of these certificates.

It also provides 1GB storage space to each account to upload scanned
copies of legacy documents. The service has over 38 million registered

The issue was first discovered by Mohesh Mohan, a senior security
specialist for Dubai smart Government. According to Mohan, the flaw
could have potentially allowed a remote attacker to bypass mobile
one-time passwords (OTP) and sign in as other users to access the
sensitive documents stored in the wallet of any user.

 “The OTP function lacks authorization which makes it possible to
perform OTP validation with submitting any valid users details and
then manipulation flow to sign in as a totally different user,” Mohan
wrote in a blog post detailing his findings.

According to Mohan, an attacker could unauthorisedly access any
DigiLocker account either by using the victim’s Aadhaar ID or the
associated mobile number or username. This prompts the service to send
an OTP and subsequently exploit the flaw to bypass the sign-in

The researcher also pointed out that the mobile app version of
DigiLocker uses a 4-digit PIN for an extra layer of security. However,
he found that it was possible to modify the API calls to authenticate
the PIN by linking the PIN to another user (identified with a
version-5 UUID) and successfully access the victim’s account.

This means “you can do the SMS OTP [verification] as one user and
submit the pin of a second user, and finally, you will end up logging
in as the second user,” Mohan told The Hacker News.

Additionally, due to the poor session mechanism implemented to protect
the APIs, it implies that the API can be exploited to reset the PIN
linked to a random user using the individual’s UUID.

“It was observed that the API calls from mobile were using basic
authentication to fetch data or do transactions. All calls from mobile
has a header flag is_encrypted: 1 which denotes that the user has to
submit the credentials (user_uuid:secret_pin) in basic auth format
encrypted with Algorithm: AES/CBC/PKCS5Padding with key
We4c4HYS5eagYdshfEP2KY27KwkjaZNH”, continues the blog post.

“However it was found that the same api can be accessed with removing
the is_encrypted: 1 flag and then submitting the credentials in basic
auth format (user_uuid:secret_pin).”

The researcher also found weak SSL pinning mechanism, which makes
bypassing easy with tools like Frida and known techniques.

Mohan reported the flaws to the Indian Computer Emergency Response
Team (CERT-In) on May 10, which was fixed by the cyber agency on May

“The nature of the vulnerability was such that an individual’s
DigiLocker account could potentially get compromised if the attacker
knew the username for that particular account,” Digilocker said in a
tweet last week confirming the flaw. “It was not a vulnerability that
could let anyone get access to [the] DigiLocker account of anyone
whose username and other details were not known.

“Upon analysis, it was discovered that this vulnerability had crept in
the code when some new features were added recently. The vulnerability
was patched on a priority basis by the technical team within a day of
getting the alert from CERT-In. This was not an attack on
infrastructure, and no data, database, storage, or encryption was
compromised,” the team added.

Interestingly, during the same week that Mohan discovered the flaw,
another bug bounty researcher, Ashish Gahlot, also found the same
issues independently and reported them to the CERT-In.

More information about the BreachExchange mailing list