The Indian Government fixed a critical vulnerability in the secure document wallet service Digilocker which could have permitted anyone to bypass mobile one-time passwords (OTP) and sign in as another user to access their saved documents.
According to security researcher Mohesh Mohan, the OTP function did not have authorization to perform OTP validation with submitting any valid users’ details and then manipulation allow to sign in as a different user.
Digilocker which has more than 38 million registered users is a cloud-based repository that acts as a digital platform to facilitate online processing of documents and faster delivery of various government-to-citizen services. It is linked to a user’s mobile number and Aadhar ID which is issued to every resident of India.
The researcher stated that in order to access a targeted Digilocker account, the attacker juts has to know either the victim’s Aadhaar ID or linked mobile number or username, prompting the service to send an OTP and subsequently exploiting the flaw to bypass the sign-in process.
The mobile app version of Digilocker also comes with a 4-digit PIN for an added layer of security. But it was also possible to modify the API calls to authenticate the PIN by associating the PIN to another user (identified with a version-5 UUID) and successfully login in as the victim.
This means “you can do the SMS OTP [verification] as one user and submit the pin of a second user, and finally, you can log in as the second user.
The absence of authorization for the API endpoint used to set the secret PIN effectively shows that the API can be exploited to reset the PIN linked to a random user using the individual’s UUID.
Besides, the API calls from mobile apps were secured by basic authentication that can be avoided by removing a header flag “is_encrypted: 1.” The application was also found to implement a weak SSL pinning mechanism, making them vulnerable to a bypass using tools like Frida.
During the same time another researcher, Ashish Gahlot, also found the same issue separately and reported it to the Indian Computer Emergency Response Team (CERT-In). The cyber agency had fixed the issues immediately on getting the alert from CERT-In.
Digilocker tweeted that the nature of the vulnerability was such that an individual’s DigiLocker account could potentially get compromised if the attacker knew the username for that particular account. It was not a vulnerability that could let anyone get access to DigiLocker account of anyone whose username and other details were not known.
On detailed analysis it was found that the vulnerability had entered in the code with the recent addition of some new features. The team assured that data, database, storage, or encryption was not compromised due to this.