prasad1
Active member
Australian information security expert Troy Hunt on Thursday pointed out a bunch of basic security flaws with the Aadhaar website uidai.gov.in. These included a vulnerability to "man in the middle attacks," outdated security certificates, and inadequate encryption of data.
In a blog post titled "Is India's Aadhaar System Really 'Hack-Proof'? Assessing a Publicly Observable Security Posture," Hunt clarified that he wasn't against the idea of Aadhaar, but he said the agency's "attitude of 'there cannot possibly be a security problem' is reckless and needs redressing."
On analysing the website, Hunt found that it blocked certain users based on their geographical location (a feature known as geo-blocking). Hunt says this can keep basic unauthorised automated attacks out but was a weak measure that was "easily circumvented." He also found the website vulnerable to what are called "man in the middle" or MitM attacks.
These attacks typically involve a hacker taking advantage of the gaps in security when data travels from an access point to the website server. Another security concern Hunt flagged was the security certificate being used by the Aadhaar website. The one currently in use is due to expire for those using the Chrome browser in March this year.
"Aadhaar is complex and it will have flaws just like any other complex software product does. Some of them may be quite serious and they must be treated as such. That will require an open and receptive attitude from the government and above all, acknowledgment that Aadhaar is not 'hack-proof,'" Hunt wrote, exhorting the Indian government to "move the needle in the right direction" in securing Aadhaar while appreciating the UIDAI's move to introduce virtual tokens.
Hunt is a regional director with Microsoft and regularly holds workshops and hosts courses on information security. He is also the person behind the popular website haveibeenpwned.com where users can key in their email address to see if it has been compromised.
https://timesofindia.indiatimes.com...-blogs-aussie-expert/articleshow/62465993.cms
In a blog post titled "Is India's Aadhaar System Really 'Hack-Proof'? Assessing a Publicly Observable Security Posture," Hunt clarified that he wasn't against the idea of Aadhaar, but he said the agency's "attitude of 'there cannot possibly be a security problem' is reckless and needs redressing."
On analysing the website, Hunt found that it blocked certain users based on their geographical location (a feature known as geo-blocking). Hunt says this can keep basic unauthorised automated attacks out but was a weak measure that was "easily circumvented." He also found the website vulnerable to what are called "man in the middle" or MitM attacks.
These attacks typically involve a hacker taking advantage of the gaps in security when data travels from an access point to the website server. Another security concern Hunt flagged was the security certificate being used by the Aadhaar website. The one currently in use is due to expire for those using the Chrome browser in March this year.
"Aadhaar is complex and it will have flaws just like any other complex software product does. Some of them may be quite serious and they must be treated as such. That will require an open and receptive attitude from the government and above all, acknowledgment that Aadhaar is not 'hack-proof,'" Hunt wrote, exhorting the Indian government to "move the needle in the right direction" in securing Aadhaar while appreciating the UIDAI's move to introduce virtual tokens.
Hunt is a regional director with Microsoft and regularly holds workshops and hosts courses on information security. He is also the person behind the popular website haveibeenpwned.com where users can key in their email address to see if it has been compromised.
https://timesofindia.indiatimes.com...-blogs-aussie-expert/articleshow/62465993.cms