The Indian government has fixed a critical vulnerability in its secure document wallet service ‘DigiLocker’ that could have allowed access over 3 billion documents.
For those unaware, DigiLocker is an online service provided by the Ministry of Electronics and IT (MeitY), Government of India under its Digital India initiative.
DigiLocker provides an account in the cloud to every Aadhaar holder to access authentic documents/certificates such as driving license, vehicle registration, academic mark sheet in digital format from the original issuers of these certificates.
It also provides 1GB storage space to each account to upload scanned copies of legacy documents. The service has over 38 million registered users.
The issue was first discovered by Mohesh Mohan, a senior security specialist for Dubai smart Government. According to Mohan, the flaw could have potentially allowed a remote attacker to bypass mobile one-time passwords (OTP) and sign in as other users to access the sensitive documents stored in the wallet of any user.
“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” Mohan wrote in a blog post detailing his findings.
According to Mohan, an attacker could unauthorisedly access any DigiLocker account either by using the victim’s Aadhaar ID or the associated mobile number or username. This prompts the service to send an OTP and subsequently exploit the flaw to bypass the sign-in process.
The researcher also pointed out that the mobile app version of DigiLocker uses a 4-digit PIN for an extra layer of security. However, he found that it was possible to modify the API calls to authenticate the PIN by linking the PIN to another user (identified with a version-5 UUID) and successfully access the victim’s account.
This means “you can do the SMS OTP [verification] as one user and submit the pin of a second user, and finally, you will end up logging in as the second user,” Mohan told The Hacker News.
Additionally, due to the poor session mechanism implemented to protect the APIs, it implies that the API can be exploited to reset the PIN linked to a random user using the individual’s UUID.
“It was observed that the API calls from mobile were using basic authentication to fetch data or do transactions. All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH”, continues the blog post.
“However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin).”
The researcher also found weak SSL pinning mechanism, which makes bypassing easy with tools like Frida and known techniques.
Mohan reported the flaws to the Indian Computer Emergency Response Team (CERT-In) on May 10, which was fixed by the cyber agency on May 28.
“The nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account,” Digilocker said in a tweet last week confirming the flaw. “It was not a vulnerability that could let anyone get access to [the] DigiLocker account of anyone whose username and other details were not known.
“Upon analysis, it was discovered that this vulnerability had crept in the code when some new features were added recently. The vulnerability was patched on a priority basis by the technical team within a day of getting the alert from CERT-In. This was not an attack on infrastructure, and no data, database, storage, or encryption was compromised,” the team added.
Interestingly, during the same week that Mohan discovered the flaw, another bug bounty researcher, Ashish Gahlot, also found the same issues independently and reported them to the CERT-In.