HYDERABAD: Is our data stored by government on its portals and databases safe? Not quite, proved an Italian hacker who broke into Telangana’s NREGA portal, purportedly to highlight the flaws in the security infrastructure.Independent security researcher Robert Baptiste hacked the State government’s website http://tspost.aponline.gov.in and released its API keys on social media. The security flaw exposed that sensitive details like Aadhaar number, bank account number and other details of those linked to the NREGA scheme in Telangana could be accessed by a hacker.
The IT Department was notified of the security flaw on Friday and it initiated a scan and audit of all government web portals on Monday. The website in question was taken down a few hours after Express reached out to government officials regarding the hack.Robert claims he has been researching and exposing loopholes in the Aadhaar architecture over the past few months. “In theory, a government website is very secure but in #India it’s another story. http://tspost.aponline.gov.in is vulnerable to a basic SQL injection,” he tweeted on Friday.
SQL injection is the most-common web hacking technique where malicious codes are placed in SQL statements. “The website is vulnerable to a basic SQL injection. Thanks to that, you can access all database of this website,” Robert said in a communication with Express. Using the SQL injection process, Robert did not just access Aadhaar details from NREGA website, but was also able to gain access to API keys of UIDAI’s Aadhaar database.
Using API keys of Aadhaar, anyone can make a fake Aadhaar app and upload the same on Google Playstore. In August last year, a techie working with Ola was arrested by Bangalore police for doing just that.“The only way to check if Aadhaar data hosted by governments are misused is by checking the logs,” said a security analyst who did not wish to be named.
“India’s IT Act prevent’s Indian researchers from looking into source codes of government digital services to find system flaws. As a result, the work is mostly done by foreign researchers. The UIDAI does not even have a portal where people can report these problems.”Government spokesperson assured the issue was not serious.
“We often have security researchers reach out to us highlighting security flaws and we do take corrective action. This is not a serious issue when one security loophole is closed another crop up. We have looked into the matter and have initiated a scan of all government web portals,” said Konatham Dileep, Director-Digital Media, Department of Information Technology, Electronics and Communication.
What is SQL injection?
Its is a code injection technique that might destroy your database. SQL injection is one of the most common web hacking techniques.
What is API?
API’s can be described as a way to plug your website into another. The code made available is called the API and can be used to build tools and widgets that are called applications.