If you think your Aadhaar data is only in the hands of those authorised to access the official Aadhaar database, think again. Following up on an investigation by The Tribune, The Quintfound that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that’s not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask.
A person of your choosing would then have access to the data of all 119,22,59,062 Aadhaar cardholders.
Exposed: Massive Security Loophole in Aadhaar Portal
Let’s break it down.
(By the way, within hours of The Tribune’s report that showcased how a reporter could access the Aadhaar portal in 5 minutes and by spending Rs 500, the website portal.uidai.gov.in was down. Visiting the site gave the response – “This site can’t be reached.”)
Getting back to Person X.
Now, Person X may have been provided access to the Aadhaar portal by the government for carrying out certain legitimate functions.
However, here’s the catch.
Person X also has the ability to provide anybody else in the world the rights to access the portal as an admin.
Yes, let that sink in. Person X can basically freely distribute access to the secure, protected Aadhaar government portal to anybody he wants. All X needs to do is enter the name and email address of any individual into the portal, and that person becomes a new admin with access to the Aadhaar portal and all its data.
Let’s say X gives access to person Y and person Z. Persons Y and Z can then log onto the Aadhaar portal and add Persons A, B, C and so on.
The fact that a secure government portal allows any of its admins to indiscriminately add other admins is something that can be grossly misused. Well-placed sources familiar with the matter confirm that this provision has already indeed been misused. In fact, individuals with admin rights have even granted admin access to others in exchange for money.
The going rate for being granted access to the Aadhaar portal has varied from Rs 500 to Rs 6,000, and possibly higher in other cases.
Once an Admin, What Can You Do?
Once you are made an admin of the Aadhaar portal, here’s what you can do – and we’re not making this up. Well-placed sources have successfully attempted this.
Through the Aadhaar number of the person whose ID was originally used to access the portal, new admins can access user information of other Aadhaar cardholders.
The URL of the original admin’s profile contains his or her 12-digit Aadhaar number. All the new admin has to do is replace the 12-digit Aadhaar number with the Aadhaar number of anyone in the country. That person’s details will immediately pop up on the screen.
These details include:
- His or her photograph
- Full name
- Parent’s name
- Date of birth
- Email address
- Mobile number
- Local language
- Complete residential address
Who Should Be Worried?
To cut a long story short – everyone.
If you think that your personal information is only vulnerable in case the new admins have your Aadhaar number, think again.
Since the portal allows an admin to view the data of different users by merely changing 12 digits of the URL, a computer program could potentially run different permutations and land up with the data of every single one of the 119,22,59,062 Aadhaar cardholders.
Does this site show your biometric data? No.
Is this still a worry for you?
Think about it. A photograph of you along with all that personal information of yours has been in the hands of unauthorised persons with no government links or credentials.
Yes, the fact that your personal data is unsafe should definitely worry you.
What could these unauthorised admins use the data for?
The unauthorised admins could sell your data, along with that of millions of others, for a fortune. They could attempt to extricate other personal information of yours based on the information that they already have.
It’s their call, really.
Dear UIDAI and Government of India, the data breach is worrisome to say the least. The fact that the Aadhaar portal, advertised as being secure, does not have any checks on authorised admins arbitrarily adding new individuals as admins poses a massive threat to our privacy and security.
Let’s face it, even relatively unimportant systems have access control via 2-stage or 3-stage processes, OTPs, biometric checks and the like – but the world’s largest biometric database allows its admin rights to be freely exchanged across any email address in the world. Could the UIDAI not have added a security check, such as a biometric authentication, for any unknown person who tries to log in from these freely exchangeable logins?
Is it too late to wake up and plug the holes now? And has the UIDAI even woken up yet?
The Quint has reached out to the authorities at the UIDAI for a response to this investigation. This article will be updated with their response if and when they revert.