Indian government sites are often criticized for their lack of cyber security and safety of people’s information. Pointing out a flaw in Telangana government’s NREGA portal, French hacker and independent security researcher Robert Baptiste hacked into the state government’s website.
He reportedly contacted the site owners regarding the issue and after receiving no response for some time, published his results on social media.
In theory, a government website is very secure but in #India it's another story...https://t.co/88CKv3hM9q is vulnerable to a basic SQL injection...🤦♂️ pic.twitter.com/3x1lX1mCUp— Elliot Alderson (@fs0c131y) February 25, 2018
The website (http://tspost.aponline.gov.in) was vulnerable to one of the most basic web hacking technique, an SQL injection. It has now gone offline in the wake of this news.
“A basic SQL injection allows an attacker to access the database of the website,” Robert said. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”
TSPost, Telangana’s government benefit disbursement portal, contained the account details and Aadhaar numbers of over 56 lakh NREGA beneficiaries and 40 lakh beneficiaries of social security pensions.
Using the SQL injection, Robert was able to access not just the Aadhaar and account details from the website but also the API keys of UIDAI’s Aadhaar database, the access of which can enable anyone capable enough to make a fake Aadhaar app that could be uploaded to Google Playstore for malicious use.
This is one of the many cases pointing out how vulnerable the Aadhaar system is to hacking and security breaches.