HYDERABAD:IS our data stored by government on its portals and databases safe? Not quite, proved an Italian hacker who broke into Telangana’s NREGA portal, purportedly to highlight the flaws in the security infrastructure.
Independent security researcher Robert Baptiste hacked the State government’s website http://tspost.aponline.gov.in and released its API keys on social media. The security flaw exposed that sensitive details like Aadhaar number, bank account number and other details of those linked to the NREGA scheme in Telangana could be accessed by a hacker.
The IT Department was notified of the flaw on Friday and it initiated a scan and audit of all government web portals on Monday. The website in question was taken down a few hours after Express reached out to officials regarding the hack.
Robert claims he has been researching and exposing loopholes in Aadhaar architecture over the past few months. “In theory, a government website is very secure but in India it’s another story. http://tspost.aponline.gov.in is vulnerable to a basic SQL injection,” he tweeted.
SQL injection is the most-common web hacking technique where malicious codes are placed in SQL statements. “The website is vulnerable to a basic SQL injection. Thanks to that, you can access all database of this website,” Robert said in a communication with Express. Using the SQL injection process, Robert did not just access Aadhaar details from NREGA website, but was also able to gain access to API keys of UIDAI’s Aadhaar database.
Using API keys of Aadhaar, anyone can make a fake Aadhaar app and upload the same on Google Playstore. In August last year, a techie working with Ola was arrested by Bangalore police for doing just that. “The only way to check if Aadhaar data hosted by governments are misused is by checking the logs,” said a security analyst who did not wish to be named.
Government spokesperson assured the issue was not serious. “We often have security researchers reach out to us highlighting security flaws and we do take corrective action,” said Konatham Dileep, Director-Digital Media, Department of Information Technology, Electronics and Communication.