The Indian Government said it has addressed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker to bypass mobile one-time passwords (OTP) and sign in as other users to access their sensitive documents stored on the platform.
“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” security researcher Mohesh Mohan said in a disclosure shared with The Hacker News.
With over 38 million registered users, Digilocker is a cloud-based repository that acts as a digital platform to facilitate online processing of documents and speedier delivery of various government-to-citizen services. It’s linked to a user’s mobile number and Aadhar ID—a unique identity number (UID) issued to every resident of India.
According to Mohan, to unauthorizedly access a targeted Digilocker account, all an attacker needs to know is either victim’s Aadhaar ID or linked mobile number or username, prompting the service to send an OTP and subsequently exploiting the flaw to bypass the sign-in…