Any Indian DigiLocker Account Could’ve Been Accessed Without Password The Indian Government fixed a flaw in the secure document wallet service Digiloc
The Indian Government fixed a flaw in the secure document wallet service Digilocker that could have potentially allowed anyone’s access without password.
The Indian Government announced to have fixed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker to sign in as other users.
DigiLocker is an online service provided by Ministry of Electronics and IT (MeitY), Government of India under its Digital India initiative. DigiLocker provides an account in cloud to every Aadhaar holder to access authentic documents/certificates such as driving license, vehicle registration, academic mark sheet in digital format from the original issuers of these certificates. It also provides 1GB storage space to each account to upload scanned copies of legacy documents. The service has over 38 million registered users.
The flaw have allowed to bypass mobile one-time passwords (OTP) and access to access the sensitive documents stored in the wallet of any user.
The security researcher Mohesh Mohan wrote a post to describe how he managed to gain access to platform containing over 3 Billion documents.
“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” wrote Mohan.
Mohan discovered that an attacker could access to any Digilocker account by simply knowing its Aadhaar ID or the associated mobile number or username.
Below the attack steps described by the expert:
- Attacker uses a valid user account that he has access and starts the login process by submitting phone number.
- Attacker completes the OTP validation with account (mobile number) he possesses.
- Attacker proceeds to submit the secret pin
- Mobile calls two urls for this – POST request
- Web application calls two urls – POST request
- All the above calls posts a base64 combination of user_uuid:secret_pin (similar to basic auth) on the parameter loginTxn
- Attacker modifies these calls to call any users uuid and secret pin combo before it is submitted
- Attacker logs in as victim now, hence the victims otp protection is bypassed
The researcher pointed out that the mobile Digilocker app uses a 4-digit PIN to implement an additional level of security. Anyway, it was able to modify the API calls to authenticate the PIN by associating the PIN to another user and access to the victim’s account.
Due to the poor session mechanism implemented to protect the APIs it is possible to exploit them to reset the PIN linked to a random user using its individual’s UUID.
“It was observed that the API calls from mobile were using basic authentication to fetch data or do transactions. All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH” continues the report.
“However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin)”
The expert also discovered a weak SSL pinning mechanism in mobile app.
The researchers reported his findings to CERT-In on May 10 and the isse was fixed on May 28.
“The nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account,” Digilocker added in a tweet last week acknowledging the flaw. “It was not a vulnerability that could let anyone get access to [the] DigiLocker account of anyone whose username and other details were not known.”
“Upon analysis, it was discovered that this vulnerability had crept in the code when some new features were added recently. The vulnerability was patched on a priority basis by the technical team within a day of getting the alert from CERT-In. This was not an attack on infrastructure, and no data, database, storage, or encryption was compromised.”
(SecurityAffairs – digilocker, hacking)