Home>Blog>The Hacker News Headlines>LPG Gas Company Leaked Details, Aadhaar Numbers of 6.7 Million Indian Customers
The Hacker News Headlines

LPG Gas Company Leaked Details, Aadhaar Numbers of 6.7 Million Indian Customers

aadhaar database leak

Why would someone bother to hack a so-called “ultra-secure
encrypted database that is being protected behind 13 feet high and
5 feet thick walls,” when one can simply fetch a copy of the same
data from other sources.

French security researcher Baptiste Robert, who goes by the
pseudonym “Elliot Alderson” on Twitter, with the help of an Indian
researcher, who wants to remain anonymous, discovered that the
official website of popular state-owned LPG gas company Indane is
leaking personal details of its millions of customers, including
their Aadhaar numbers.

This is not the first time when an unprotected third-party
database has leaked Aadhaar details of Indian citizens, which is a
unique number assigned to each citizen as part of India’s biometric
identity programme maintained by the government’s Unique
Identification Authority of India (UIDAI).

Earlier this week an anonymous Indian researcher initially
discovered a loophole in the Indane’s online dealers portal that
could allow anyone to access hundreds of thousands of customers
data associated with their respective dealers without requiring any
authentication.

“Due to a lack of authentication in the local dealers portal,
Indane is leaking the names, addresses and the Aadhaar numbers of
their customers,” Robert wrote in a blog
post[1] on Medium late Monday.

To avoid getting into trouble from Indian authorities, the
researcher shared his findings with Robert, who previously gained
fame for exposing numerous Aadhaar-related leaks and security
weaknesses in other Indian website and services.

Indane LPG data leak

After analyzing the issue, Robert discovered that attackers
can actually fetch millions of Indian citizens data from the Indane
website if they know every dealer’s username, which he later found
using another vulnerability in the Indane’s official mobile
app.
The mobile app vulnerability allowed Robert to find 11,062 valid
dealer IDs, out of which he used 9490 IDs against the online
dealers portal to fetch personal data of 5.8 million users,
including their Aadhaar numbers, names and residential addresses.

“Unfortunately, Indane probably blocked my IP, so I didn’t test the
remaining 1572 dealers. By doing some basic math we can estimate
the final number of affected customers around 6,791,200,” Robert
says.

Robert shared his findings with Indane, an LPG brand owned by the
Indian Oil Corporation, on 15th February, and made the public
disclosure on 19th February after receiving no response from the
company.

References

  1. ^
    blog post
    (medium.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.