Indian Oil’s LPG flagship – Indane puts an estimated 6.7M Aadhaar numbers at risk

Indian Oil denies leaking Aadhaar and personal data of an estimated 6,791,200 Indane users in face of irrefutable evidence. 


French security researcher and Aadhaar-breach hound Baptiste Robert has struck again. On the 19th of this month, the now-famous Aadhaar tormentor revealed a major security failure on the Indian Oil-owned Indane website. 

Kaspersky Lab stated that potentially compromised details include names, addresses and the customers’ confidential Aadhaar numbers hidden in the link of each record. The company cautions that leaked data of this kind usually serves to personalize phishing and scams.


Aadhaar’s Achilles heel – 3rd party authentication

The independent researcher who goes by the Twitter handle of Elliot Alderson exploited the lack of authentication in Indane’s local dealers’ portal. 

The biggest-ever Aadhaar breach which jeopardized one billion citizens’ data on the Unique Identification Authority of India (UIDAI) database was caused due to access by unauthorized agents.

Robert, in his blog on Medium, revealed that he was able to extract details like the Aadhaar number, name and address of 5,826,116 Indane customers by writing a Python script which generated 11,062 valid user IDs. 

He added that the endpoint found in the Android app helped obtain all the valid dealer IDs and with this, he was able to “scrape” the ‘total records’ in the local dealer portal.

Indane, probably getting a whiff of the leak, blocked his IP, thereby not allowing him to test the remaining 1,572 dealers.

Leak? What leak?

In its tweet, Indian Oil declared that its software captures only the Aadhaar number which is required for LPG subsidy transfer, and therefore, the leakage of Aadhaar data was impossible. Additionally, the Oil & Gas giant declared that Aadhaar numbers are not hosted on the website.

However, a screenshot (see pic) shared by Robert reveals the Aadhaar number being displayed at the bottom, along with the names and addresses of users. 

Robert, after being tipped off by an anonymous follower, disclosed the vulnerability to Indane on the 15th of this month. Having received no response from Indane, he went public with his finding on 19 Feb’.

Shortly after Robert went public with his finding, the page which apparently revealed the leaked Aadhaar numbers was taken offline. 

UIDAI hasn’t yet responded to the leak, and CSO Online is awaiting a response from the CISO of the Indian Oil Corporation.