Friday, April 23, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Any Indian DigiLocker Account Could’ve Been Accessed Without Password

June 8, 2020
in Internet Privacy
Any Indian DigiLocker Account Could’ve Been Accessed Without Password
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

The Indian Government said it has addressed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker to bypass mobile one-time passwords (OTP) and sign in as other users to access their sensitive documents stored on the platform.

“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” security researcher Mohesh Mohan said in a disclosure shared with The Hacker News.

You might also like

Researchers Find Additional Infrastructure Used By SolarWinds Hackers

Facebook Busts Palestinian Hackers’ Operation Spreading Mobile Spyware

Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations

With over 38 million registered users, Digilocker is a cloud-based repository that acts as a digital platform to facilitate online processing of documents and speedier delivery of various government-to-citizen services. It’s linked to a user’s mobile number and Aadhar ID—a unique identity number (UID) issued to every resident of India.

According to Mohan, to unauthorizedly access a targeted Digilocker account, all an attacker needs to know is either victim’s Aadhaar ID or linked mobile number or username, prompting the service to send an OTP and subsequently exploiting the flaw to bypass the sign-in process.

It’s worth noting that the mobile app version of Digilocker also comes with a 4-digit PIN for an added layer of security. But the researcher said it was possible to modify the API calls to authenticate the PIN by associating the PIN to another user (identified with a version-5 UUID) and successfully login in as the victim.

This means “you can do the SMS OTP [verification] as one user and submit the pin of a second user, and finally, you will end up logging in as the second user,” Mohan said.

What’s more, the lack of authorization for the API endpoint used to set the secret PIN effectively implies the API can be exploited to reset the PIN linked to a random user using the individual’s UUID.

“There is no session-related information on the POST request, so it’s not bound to any user,” Mohan added.

In addition to the issues mentioned above, the API calls from mobile apps were secured by basic authentication that can be circumvented by removing a header flag “is_encrypted: 1.” The application was also found to implement a weak SSL pinning mechanism, making them vulnerable to a bypass using tools like Frida.

After the flaws were reported to CERT-In on May 10, the cyber agency said the issues were fixed on May 28.

“The nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account,” Digilocker said in a tweet last week acknowledging the flaw. “It was not a vulnerability that could let anyone get access to [the] DigiLocker account of anyone whose username and other details were not known.”

“Upon analysis, it was discovered that this vulnerability had crept in the code when some new features were added recently. The vulnerability was patched on a priority basis by the technical team within a day of getting the alert from CERT-In. This was not an attack on infrastructure, and no data, database, storage, or encryption was compromised,” the team added.


Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)

Previous Post

Reinforcement Learning (Q-learning) - An Introduction (Part 1)

Next Post

3 Great Ways to Monetize Content

Related Posts

1-Click Hack Found in Popular Desktop Apps — Check If You’re Using Them
Internet Privacy

Researchers Find Additional Infrastructure Used By SolarWinds Hackers

April 22, 2021
Facebook Busts Palestinian Hackers’ Operation Spreading Mobile Spyware
Internet Privacy

Facebook Busts Palestinian Hackers’ Operation Spreading Mobile Spyware

April 22, 2021
Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations
Internet Privacy

Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations

April 22, 2021
Hackers threaten to leak stolen Apple blueprints if $50 million ransom isn’t paid
Internet Privacy

Hackers threaten to leak stolen Apple blueprints if $50 million ransom isn’t paid

April 22, 2021
Improve Your Cyber Security Posture by Combining State of the Art Security Tools
Internet Privacy

Improve Your Cyber Security Posture by Combining State of the Art Security Tools

April 21, 2021
Next Post
3 Great Ways to Monetize Content

3 Great Ways to Monetize Content

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Basic laws of physics spruce up machine learning
Machine Learning

Can machine learning improve debris flow warning?

April 23, 2021
58 Resources To Help Get Started With Deep Learning ( In TF ) | by Shubham Panchal | Apr, 2021
Neural Networks

58 Resources To Help Get Started With Deep Learning ( In TF ) | by Shubham Panchal | Apr, 2021

April 23, 2021
An ideal time for online events to get a makeover
Digital Marketing

What do attendees want from your presentation?: Thursday’s daily brief

April 23, 2021
SolarWinds hack analysis reveals 56% boost in command server footprint
Internet Security

SolarWinds hack analysis reveals 56% boost in command server footprint

April 22, 2021
1-Click Hack Found in Popular Desktop Apps — Check If You’re Using Them
Internet Privacy

Researchers Find Additional Infrastructure Used By SolarWinds Hackers

April 22, 2021
What Does The Future Hold For the Companies Developing Mobile Apps
Data Science

What Does The Future Hold For the Companies Developing Mobile Apps

April 22, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Can machine learning improve debris flow warning? April 23, 2021
  • 58 Resources To Help Get Started With Deep Learning ( In TF ) | by Shubham Panchal | Apr, 2021 April 23, 2021
  • What do attendees want from your presentation?: Thursday’s daily brief April 23, 2021
  • SolarWinds hack analysis reveals 56% boost in command server footprint April 22, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates