Indian state government fixes website bug that revealed Aadhaar numbers and fingerprints

A security researcher says a bug on an Indian state government website inadvertently revealed documents containing residents’ Aadhaar numbers, identity cards, and copies of their fingerprints.

The bug was fixed last week after the security researcher disclosed the bug to local authorities.

Sourajeet Majumder found the bug in the West Bengal government’s e-District web portal that allows state residents to access government services online, like obtaining birth and death certificates and building applications. Majumder said the website bug meant it was possible to obtain land deeds, which contain records about the owners of a piece of land, from the e-District website by guessing sequential deed application numbers.

Application identification numbers are unique 16-digit numbers issued by the state government when a local resident applies for a digital copy of a deed.

A partially blurred copy of an exposed West Bengal resident’s land deed.

Not every application identification number was valid. Using publicly available tools like Burp Suite to analyze the network traffic in and out of the website meant that Majumder could cycle through entire lists of sequential application numbers and use the responses from the server to determine if an application identification number was valid.

With access to an application identification number, anyone with a login to the e-District system could access a copy of a land deed. Two land deed records seen by TechCrunch contain the names of the individuals involved with the deed, their photographs, and their full set of fingerprints from both hands. It’s not uncommon to see multiple individuals on a single deed.

The deeds also contain the individuals’ government-issued identity documents, including their confidential Aadhaar numbers, which every citizen is assigned as part of India’s national identity and biometric database. Aadhaar numbers are required for accessing banking, cell phone plans, and many government services.

Majumder reported the website vulnerability to India’s computer emergency response team, known as CERT-In, and the West Bengal government, fearing that the vulnerability could be misused for identity fraud. The bug was fixed soon after.

It’s not known if anyone else other than Majumder discovered the bug. Representatives for the West Bengal government and CERT-In did not return requests for comment. The West Bengal government’s e-District website says it has processed more than 17 million applications to date, though it’s not known how many relate to land deeds.

Local media reports a recent rise in fraud linked to the alleged theft of biometric information, which criminals are said to be using to empty bank accounts.