- This is not the first time that the anonymous hacker has pointed out chinks in Indian websites’ security
- Over the past few months, many vulnerabilities pointed out by the hacker have, in fact, even been reportedly fixed after being exposed
NEW DELHI: The anonymous hacker who claims to be a French security researcher and goes by the name of Elliot Alderson on micro-blogging site Twitter, once again on Tuesday sought to expose the vulnerability of Indian government websites. Alderson — a name which is perhaps inspired from the American television series Mr. Robot’s main protagonist who goes by the same name and is a cybersecurity engineer and vigilante hacker — posted some screenshots on Twitter along with a URL of the Andhra Pradesh government’s website about how biometric data and Aadhaar card scans of people were openly available.
The alleged French security expert, Elliot Alderson, who created a storm recently by claiming to have accessed over twenty thousand Aadhaar card specifics on a single day by using a simple internet search tool is back in the news. On Wednesday, he posted a video from his Twitter handle @fs0c131y titled “How to bypass the password protection of the official #Aadhaar #android #app in 1 minute”. In this video he points out an alleged basic flaw in the Aadhaar Android app. Before this he had reportedly exposed some flaws in BSNL, Paytm and Indian Postal Service systems too. The common thing about all these hacks was that he contacted the concerned organizations on an open platform while pointing out these vulnerabilities.
India Today has spoken to this ethical hacker who goes by the name Elliot Alderson on social media but his real name according to him is Baptiste Robert. Identifying himself as a freelance Android developer who works for phone makers, Robert expressed his inability to give a formal interview over camera or phone and chose to respond to India Today’s questions in writing.
Clarifying his claims of accessing almost 20,000 Aadhaar cards in a single day, he said “these cards can be found on the internet. Everything is public, no hack is required. You only need to use Google. These cards have not been found on the UIDAI server”. He elaborated how one can misuse the Aadhaar by physically accessing the device with the Android app. Asked about the main flaw of Aadhar system, Robert told India Today “the main issue with the Aadhaar Android app is that if an attacker has a physical access to the device, he can easily bypass the password mechanism they put in place in the app”. Even in the video posted on Twitter he argues that “the attacker needs a physical access to the phone, rooted phone is not needed and yes this is for the latest version of the app”.
The UIDAI has issued a statement saying “by simply knowing someone’s Aadhaar, one cannot impersonate and harm the person because Aadhaar alone is not sufficient to prove one’s identity but it requires biometrics to authenticate one’s Identity”. Robert has responded to UIDAI’s comments by saying “they (UIDAI) also said that the Aadhaar card is an identity document which is inconsistent with their statement”. When we asked him to give one piece of advice for ordinary citizens who use Aadhaar and don’t want their data to be compromised, he replied “it’s complicated, first don’t use the Aadhaar Android App at all, be cautious when you give your Aadhaar card to anyone”.
When India Today asked about his motivation behind exposing the security flaws which largely affects a foreign country he said “I just want to point these flaws and help companies to fix it. I’m not motivated by the money at all”. “Security is important. As a company, it is your duty to protect your user data” he concluded by reminding the organizations which seek user data. While UIDAI issued a statement saying “It is reiterated that Aadhaar remains safe and secure and there has not been a single breach from its biometric database during that last eight years of its existence” social media is once again abuzz with debate over vulnerability of Aadhar data.
Hi @UIDAI and @ceo_uidai, let me show you one of the “unscrupulous elements”. This governmental website is leaking 4769 files. In this open directory you can find biometric data, #Aadhaar card scans and more.http://pris.ap.gov.in/bpl/uploads/
The URL seems to have been blocked after the hacker’s tweet. This is not the first time, Alderson has pointed out chinks in Indian websites’ security — both government and otherwise. Over the past few months, many vulnerabilities pointed out by the anonymous vigilante hacker have, in fact, even been reportedly fixed after being exposed.
(Screenshot shared by ‘Elliot Alderson’)
To recap, Alderson is the same person who had flagged that digital payments company Paytm was asking its Android users for ‘root access’ to their phones which would have effectively given the company complete access to a user’s device. While Paytm has now stopped asking for the access, it maintains that the earlier request was on the back of requirements laid down by payments umbrella body, NPCI (National Payments Corporation of India) which mandates checking if a device is rooted.
Read Also: Paytm stops ‘root access’ on Android phones
However, the vigilante seems to have been especially focused on exposing Aadhaar — the 12 digit unique identification number based on biometric and demographic data — related security flaws and vulnerabilities.
(Screenshot shared by ‘Elliot Alderson’)
All this while though, UIDAI (Unique Identification Authority of India) — the body which controls and issues the biometrics-based identities has maintained that the system is “safe and secure”. Interestingly, Alderson has pointed out that he’s not necessarily against Aadhaar.
7h hours after my tweet, they changed https://t.co/RcoMlnD6jo with a blank page. You don’t even know how fix this issue, the documents are still accessible…🤦♂️ pic.twitter.com/8OgzJ3QVEY
— Elliot Alderson (@fs0c131y) March 14, 2018
March 15, 2018 at 4:21 pm
The French hacker has exposed chinks in the aadhar project app to demonstrate its vulnerability. People should exercis caution for their safety of data