Aadhaar hack encore: Basic SQL injection exposes 96 lakh accounts

A security researcher brings to light the absolute ease with which Aadhaar data can be accessed.

In yet another Aadhaar data breach, French white hat hacker, Baptiste Robert breached Telangana government’s benefit disbursement portal, TSPost and exposed Aadhaar details of 56 lakh NREGA (National Rural Employment Guarantee scheme) beneficiaries, and an additional 40 lakh SSP (Social Security Pensions) legatees.

Robert, who goes by the pseudonym Elliot Alderson on Twitter, shared the exposé on his account and said, “In theory, a government website is very secure, but in India it’s another story.”

Breaching Aadhaar a piece of cake

Sharing his modus operandi, Robert revealed that he carried out a basic Structures Query Language injection (SQLi) to penetrate the site.

A fairly common technique, SQLi enables a hacker to attack data-driven applications by introducing malicious SQL codes into a database.

Following the code injection, a hacker gains the ability to spoof identity, bypass authentication protocols, tinker around with existing data, and even make it unavailable to database administrators.

The hacking technique, first introduced in 1998, is one of the oldest and widely used methods among cyber criminals.

Not the first time Aadhaar laid bare

The breach marks the third major security incident in 2018. On January 5, 100 crore Aadhaar accounts were compromised from the Unique Identification Authority of India (UIDAI) database. What took the cake was that one could gain access to names, addresses, Aadhaar numbers, phone numbers – the whole shebang – of 120 crore individuals, for a mere Rs 500.

Soon after, on February 9, the Indian government admitted that there have been cases of fraudulent money withdrawal using Aadhaar details.

There’s no denying that protecting Aadhaar data for our teeming millions is no small feat. However, the government’s ostrich act following data breach exposures has been disappointing so far.

Following the January 5 incident, UIDAI denied any data breach and rubbished it as a case of “misreporting”.

And this time, the Telangana State portal found it more prudent to go offline rather than patch and remediate the vulnerability.