The website of PM-Kisan, short for Pradhan Mantri Kisan Samman Nidhi, was leaking the Aadhaar data of over 110 million farmers, a security researcher said. In his post on Medium, Atul Nair said that the dashboard feature of the PM-Kisan website has an endpoint that was exposing Aadhaar numbers of all the farmers based on region. The data could easily be used by an attacker with a few tweaks in the basic script of the website.
Nair, a security researcher who is volunteering at Kerala Police Cyberdome per his LinkedIn, said he was able to obtain a small sample of the information of exposed data of farmers and the Aadhaar numbers associated with them on the PM-Kisan website. He provided the data to TechCrunch, which claims to have verified the information as authentic by matching the leaked data with individual information using the PM-Kisan website’s finder tool.
Pradhan Mantri Kisan Samman Nidhi, better known as PM-Kisan, is a government initiative that provides farmers in India with a minimum support income of Rs 6,000 per year. It uses farmers’ Aadhaar data for registration and further processes, such as direct benefit transfer (DBT). Aadhaar — which is a unique 12-digit number assigned to an Indian citizen as part of the country’s identity database — is often required for availing government services. The number is not secretive by nature, but unauthorised access could leave details like residential addresses, bank account details, and other important data exposed and prone to hacking.
The post on Medium has screenshots of the script of the PM-Kisan website that show a portion was leaking the Aadhaar data and the region a farmer comes from. The researcher said the leak could have affected more than 110 million farmers, which is the same as the total number of farmers registered with the PM-Kisan initiative.
Nair said that he informed the Indian Computer Emergency Response Team (CERT-In) about the leak on January 29, 2022. He received a response from the government agency two days later in which he was given a reference number and informed that his report was forwarded to the concerned authorities.
On February 26, 2022, CERT-In told Nair that the concerned entity had still not confirmed fixing the vulnerability and that the matter had already been escalated “for appropriate action.” On May 28, Nair discovered that the issue was fixed, and he apprised CERT-In about the same. But Nair did not reveal the exact date when the vulnerability was patched by the concerned authority CERT-In referred to in its responses. It is unclear if the Aadhaar data of farmers were removed from the website or if it was available as is during the period between January and May.
This is not the first time that the Aadhaar data have been leaked. In 2017, a report suggested that over 130 million Aadhaar numbers and banking data associated with them had been leaked by multiple websites. Then, in 2018, the Aadhaar data of several individuals were on sale by some people who claimed they had access to the database.
No comments:
Post a Comment
Welcome To My Blog.