If you think your Aadhaar data is only in the hands of those authorised to access the official Aadhaar database, think again. Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that’s not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask.
A person of your choosing would then have access to the data of all 119,22,59,062 Aadhaar cardholders.
Exposed: Massive Security Loophole in Aadhaar Portal
Let’s break it down.
Say Person X has an email address registered on the Aadhaar portal for access to the user information of Aadhaar cardholders. The URL for the portal website is http://portal.uidai.gov.in/.
(By the way, within hours of The Tribune’s report that showcased how a reporter could access the Aadhaar portal in 5 minutes and by spending Rs 500, the website portal.uidai.gov.in was down. Visiting the site gave the response – “This site can’t be reached.”)
Getting back to Person X.
Now, Person X may have been provided access to the Aadhaar portal by the government for carrying out certain legitimate functions.
However, here’s the catch.
Person X also has the ability to provide anybody else in the world the rights to access the portal as an admin.
Yes, let that sink in. Person X can basically freely distribute access to the secure, protected Aadhaar government portal to anybody he wants. All X needs to do is enter the name and email address of any individual into the portal, and that person becomes a new admin with access to the Aadhaar portal and all its data.
Let’s say X gives access to person Y and person Z. Persons Y and Z can then log onto the Aadhaar portal and add Persons A, B, C and so on.
The fact that a secure government portal allows any of its admins to indiscriminately add other admins is something that can be grossly misused. Well-placed sources familiar with the matter confirm that this provision has already indeed been misused. In fact, individuals with admin rights have even granted admin access to others in exchange for money.
The going rate for being granted access to the Aadhaar portal has varied from Rs 500 to Rs 6,000, and possibly higher in other cases.
Once an Admin, What Can You Do?
Once you are made an admin of the Aadhaar portal, here’s what you can do – and we’re not making this up. Well-placed sources have successfully attempted this.
Through the Aadhaar number of the person whose ID was originally used to access the portal, new admins can access user information of other Aadhaar cardholders.
The URL of the original admin’s profile contains his or her 12-digit Aadhaar number. All the new admin has to do is replace the 12-digit Aadhaar number with the Aadhaar number of anyone in the country. That person’s details will immediately pop up on the screen.
These details include:
- His or her photograph
- Full name
- Parent’s name
- Date of birth
- Email address
- Mobile number
- Gender
- Local language
- Complete residential address
Who Should Be Worried?
To cut a long story short – everyone.
If you think that your personal information is only vulnerable in case the new admins have your Aadhaar number, think again.
Since the portal allows an admin to view the data of different users by merely changing 12 digits of the URL, a computer program could potentially run different permutations and land up with the data of every single one of the 119,22,59,062 Aadhaar cardholders.
Does this site show your biometric data? No.
Is this still a worry for you?
Think about it. A photograph of you along with all that personal information of yours has been in the hands of unauthorised persons with no government links or credentials.
Yes, the fact that your personal data is unsafe should definitely worry you.
What could these unauthorised admins use the data for?
The unauthorised admins could sell your data, along with that of millions of others, for a fortune. They could attempt to extricate other personal information of yours based on the information that they already have.
It’s their call, really.
Dear UIDAI and Government of India, the data breach is worrisome to say the least. The fact that the Aadhaar portal, advertised as being secure, does not have any checks on authorised admins arbitrarily adding new individuals as admins poses a massive threat to our privacy and security.
Let’s face it, even relatively unimportant systems have access control via 2-stage or 3-stage processes, OTPs, biometric checks and the like – but the world’s largest biometric database allows its admin rights to be freely exchanged across any email address in the world. Could the UIDAI not have added a security check, such as a biometric authentication, for any unknown person who tries to log in from these freely exchangeable logins?
Is it too late to wake up and plug the holes now? And has the UIDAI even woken up yet?
Based on their denials on Twitter, it would not seem so.
There have always been significant doubts over how secure the Aadhaar database really is. Remember this tweet by Narendra Modi during his election campaign in 2014?
Today, it is the Congress’ turn to cry foul.
Regardless of the political buck-passing and mudslinging, one fact is for certain. It has now been conclusively proved that the Aadhaar database is anything but secure. With the Supreme Court all set to hear the Aadhaar case this month, this is just the latest worry that the UIDAI will have to deal with. And answer for.
The Quint has reached out to the authorities at the UIDAI for a response to this investigation. This article will be updated with their response if and when they revert.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)