A Twitter handle of anonymous hackers by the name Lulzsec India has tweeted about a vulnerability involving 22,000 Aadhaar and PAN cards. They have refused to provide further information till the vulnerability is patched. The screenshot they have tweeted appears to show numbered folders and image documents of an Aadhaar card and the name “Kamlesh Tiwari” written by hand – which could be the scan of a signature.
The breach does not appear to be a website vulnerability, but a poorly coded server related to PAN applications, that allows malicious hackers unlimited file management access over ftp. As of now, it is not known which server this information is on and the group refuses to reveal further details till the vulnerability is fixed.
“We all live in a country where cybersecurity made stronger only by court orders and useless statements of denial and not secure coding practices,” said Lulzsec India when approached via private messages for more information related to the breach.
Other security issues reported by Lulzsec India include vulnerabilities that allowed logging into the Rajya Sabha server and that ISRO Bhuvan Mapper was running on 7-year-old server code and was vulnerable to all the security issues that had been revealed in that time.
Some instances of website or application breach:
July 28, 2017 – Abhinav Srivastava, co-founder of Quarth technologies created an “Aadhaar e-KYC” app that accessed the UIDAI API without authorization.
September 10, 2017 – During the Kanpur Fake Aadhaar Enrollment scam, the enrollment software was found to be reverse engineered to bypass iris scan authentication for operators.
January 4, 2018 – The Tribune had reported access to Aadhaar data could be purchased for as little as Rs. 500 on social media.
January 4, 2018 – The Quint reported that data admins could create other data admin accounts at discretion – without any checks.