The Indian Government has addressed a critical vulnerability in India-based secure document wallet DigiLocker that could allow a remote attacker to bypass one-time passwords (OTP) authentication and sign in as other users.
An OTP is a temporary password that is valid for only one login session or financial transaction on a computer or mobile application. The advantage of OTPs is they are not vulnerable to replay attacks, i.e., a potential attacker can’t be able to exploit an OTP that was already used to log into a service or used for a transaction, since it no longer be valid.
In a security alert, DigiLocker stated that the vulnerability exists in the wallet’s signup process. The vulnerability is now fixed after the Indian Computer Emergency Response Team (CERT-In) and independent researchers alerted DigiLocker.
“The nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account. It was not a vulnerability that could let anyone get access to the DigiLocker account of anyone whose username and other details were not known. Upon analysis, it was discovered that this vulnerability had crept into the code when some new features were added recently. The vulnerability was patched on a priority basis by the technical team within a day of getting the alert from CERT-In. This was not an attack on infrastructure, and no data, database, storage, or encryption was compromised,” DigiLocker said in a statement.
What is DigiLocker?
DigiLocker is a mobile application from the government of India, under its Digital India initiative, which provides a cloud-based repository for users to save their critical documents like driving license, vehicle registration, and academic mark sheet in digital format. The DigiLocker account is linked to users’ mobile number and Aadhar ID.
According to independent security researchers Mohesh Mohan and Ashish Gahlot, the vulnerability could have been exploited easily by the attackers to unauthorizedly access sensitive documents uploaded by the users. All an attacker requires is either the victim’s Aadhaar ID or linked mobile number or username to unauthorizedly access a targeted Digilocker account, prompting the service to send an OTP and exploiting the vulnerability to bypass the sign-in process.
“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” Mohan said in a blogpost.