×
[PR]上記の広告は3ヶ月以上新規記事投稿のないブログに表示されています。新しい記事を書く事で広告が消えます。
プロフィール
HN:
No Name Ninja
性別:
非公開
カテゴリー
最新記事
(09/22)
(08/25)
(08/25)
(07/22)
(07/08)
P R
Aadhaar, the government database for citizen IDs has fingerprints, iris scans and a lot of other personal information linked to every number. They shall publish a complete detailed report post the vulnerability is fixed. With the government forcing Indians to link every record, be it your bank accounts or your mobile number, an Aadhaar ID leak can put the user at a major privacy risk.“The affected endpoint uses a hardcoded access token, which, when decoded, translates to "INDAADHAARSECURESTATUS," allowing anyone to query Aadhaar numbers against the database without any additional authentication.
A similar report by Washington Post in January again stated that a billion people are at risk of identity theft due to a security breach in the Aadhaar system.ZDNet later contacted the Indian Consulate in New York and alerted the Consul for trade and customs Mr Devi Prasad Misra.But this time, a security researcher confirmed to ZDNet that the a flaw in the Aadhaar database system is still leaking every Aadhaar card’s details. "An China PE shrink films attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details," he said.Source: Link | Via: Link .According a report by The Tribune in January, a security lapse caused a major leak into the Aadhaar system that could give billions of Aadhaar details in less than 10 minutes and for just Rs 500.The report states that even companies such as Amazon and Uber can easily tap into an Aadhaar database to identify their customers.
According to an exclusive report by Zero Day security researcher Zack Whittaker (via ZDNet), every Indian citizen who has subscribed to Aadhaar has been leaked. "I cannot speculate whether it is UIDAI that is providing this information to [the utility provider], or if the banks or gas companies are, but it seems that everyone's information is available, with no authentication -- no rate limit, nothing. Saini also found that the API doesn't have any rate limiting in place, allowing an attacker to cycle through every permutation -- potentially trillions -- of Aadhaar numbers and obtain information each time a successful result is hit. The API is used by companied to check the status and verify an Aadhaar holder’s identity. According to the report, Zack says that the national ID database has been hit by yet another major security lapse. They explained the entire issue in detail and followed up with questions asked, for more than a week, but the issue was still not addressed. Though Aadhaar is not completely mandatory, not linking it makes users unable to access basic to major government services."
While the Aadhaar case (on making it mandatory) is still with the court, those who have not yet registered are safe.Karan Saini, a New Delhi-based security researcher who found the vulnerable endpoint, told ZDNet that anyone with an Aadhaar number is affected. He explained that it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999."From the requests that were sent to check for a rate limiting issue and determine the possibility of stumbling across valid Aadhaar numbers, I have found that this information is not retrieved from a static database or a one-off data grab, but is clearly being updated -- from as early as 2014 to mid 2017," Saini told ZDNet. We are closely following up with the report and shall keep this article updated with any new information that is released. However, they claim that the API is not secured — the entire Indian citizens’ database can be accessed by them regardless of whether they are a customer to the utility provider or not.The researcher ran (with permission) a few Aadhaar numbers of his friends, and the database returned all information about them. However, the millions who have already registered with UIDAI are presently at a very high risk. And because there is no rate limiting, Saini said he could send thousands of requests each minute -- just from one computer,” the ZDNet report claims.
However, ZDNet also points out a contradictory tweet from the Indian IT Minister Ravi Shankar Prasad that states the Aadhaar system does not save details of bank accounts.Screenshots seen by ZDNet reveal details about which bank that person uses.The data leak on a system run by a state-owned utility company can allow anyone to download all private information from all Aadhaar holders, thus exposing their names, unique ID numbers, all the services attached including bank details, and a lot more information, said the report.ZDNet went ahead to publish their report, but have refrained to give out details about the vulnerability until it is fixed by the Indian government.
Their report stated that a utility provider (which they have kept anonymous) has access to the entire Aadhaar databse through an API.The endpoint does not pull data in the utility provider’s customer, but allows access to the Aadhaar details of those who have connections with other utility companies too.The report further states that Saini disclosed that the API’s URL has no access controls in place. Stay tuned. Disclaimer: This report is from ZDNet. ZDNet claims that the Indian authorities have done nothing to fix the flaw and have not responded to any of their repeated emails since months of the findings
A similar report by Washington Post in January again stated that a billion people are at risk of identity theft due to a security breach in the Aadhaar system.ZDNet later contacted the Indian Consulate in New York and alerted the Consul for trade and customs Mr Devi Prasad Misra.But this time, a security researcher confirmed to ZDNet that the a flaw in the Aadhaar database system is still leaking every Aadhaar card’s details. "An China PE shrink films attacker is bound to find some valid Aadhaar numbers there which could then be used to find their corresponding details," he said.Source: Link | Via: Link .According a report by The Tribune in January, a security lapse caused a major leak into the Aadhaar system that could give billions of Aadhaar details in less than 10 minutes and for just Rs 500.The report states that even companies such as Amazon and Uber can easily tap into an Aadhaar database to identify their customers.
According to an exclusive report by Zero Day security researcher Zack Whittaker (via ZDNet), every Indian citizen who has subscribed to Aadhaar has been leaked. "I cannot speculate whether it is UIDAI that is providing this information to [the utility provider], or if the banks or gas companies are, but it seems that everyone's information is available, with no authentication -- no rate limit, nothing. Saini also found that the API doesn't have any rate limiting in place, allowing an attacker to cycle through every permutation -- potentially trillions -- of Aadhaar numbers and obtain information each time a successful result is hit. The API is used by companied to check the status and verify an Aadhaar holder’s identity. According to the report, Zack says that the national ID database has been hit by yet another major security lapse. They explained the entire issue in detail and followed up with questions asked, for more than a week, but the issue was still not addressed. Though Aadhaar is not completely mandatory, not linking it makes users unable to access basic to major government services."
While the Aadhaar case (on making it mandatory) is still with the court, those who have not yet registered are safe.Karan Saini, a New Delhi-based security researcher who found the vulnerable endpoint, told ZDNet that anyone with an Aadhaar number is affected. He explained that it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999."From the requests that were sent to check for a rate limiting issue and determine the possibility of stumbling across valid Aadhaar numbers, I have found that this information is not retrieved from a static database or a one-off data grab, but is clearly being updated -- from as early as 2014 to mid 2017," Saini told ZDNet. We are closely following up with the report and shall keep this article updated with any new information that is released. However, they claim that the API is not secured — the entire Indian citizens’ database can be accessed by them regardless of whether they are a customer to the utility provider or not.The researcher ran (with permission) a few Aadhaar numbers of his friends, and the database returned all information about them. However, the millions who have already registered with UIDAI are presently at a very high risk. And because there is no rate limiting, Saini said he could send thousands of requests each minute -- just from one computer,” the ZDNet report claims.
However, ZDNet also points out a contradictory tweet from the Indian IT Minister Ravi Shankar Prasad that states the Aadhaar system does not save details of bank accounts.Screenshots seen by ZDNet reveal details about which bank that person uses.The data leak on a system run by a state-owned utility company can allow anyone to download all private information from all Aadhaar holders, thus exposing their names, unique ID numbers, all the services attached including bank details, and a lot more information, said the report.ZDNet went ahead to publish their report, but have refrained to give out details about the vulnerability until it is fixed by the Indian government.
Their report stated that a utility provider (which they have kept anonymous) has access to the entire Aadhaar databse through an API.The endpoint does not pull data in the utility provider’s customer, but allows access to the Aadhaar details of those who have connections with other utility companies too.The report further states that Saini disclosed that the API’s URL has no access controls in place. Stay tuned. Disclaimer: This report is from ZDNet. ZDNet claims that the Indian authorities have done nothing to fix the flaw and have not responded to any of their repeated emails since months of the findings
PR
