Elliot Alderson – a name TV series freaks would know as the protagonist of a popular TV series Mr. Robot. But someone is using this name on Twitter and exposing some critical security flaws in the mAadhaar app, which happens to be the hottest and most debatable thing these days. This Twitter user, claims that the user data can be stolen if someone has physical access to the victim’s phone.
In this tweet thread, he explained the flaw and pointed out the security issues the app is having. As per this guy, it is very easy to get the password from the local database since the mAadhaar is saving user’s Aadhaar-related data locally which is protected with a password.
To generate the password, he used a random number with 123456789 as seed and a hardcoded string db_password_123. Also, the debug feature lets someone repack the app with the logging activated and distribute it so that the Aadhaar data will be available on the SD card. Then the attacker can easily upload the log file to his server, the debug feature is enabled by default for the mAadhaar app.
1. Hi @UIDAI and @KhoslaLabs ?! Let me show you why it’s not a good idea to keep a “debug feature” in the #Aadhaar #Android app you released
— Elliot Alderson (@fs0c131y) January 12, 2018
As he tweeted this to UIDAI, they were quick to respond saying that the mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by the user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise. Here’s his tweet and the response from UIDAI:
mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So question of biometrics being compromised does not arise.
— Aadhaar (@UIDAI) January 11, 2018
He also showed proof of an Aadhaar database password generator, which according to him generates the same password all the time which makes it relatively easier to crack them. However, it is not sure whether this works in real life or not.
This is not the first time someone has shown flaws in Aadhaar. Earlier, an Engineering Graduate revealed how he could get access to the database using e-KYC Verification app. Just last week, a report revealed that a major security loophole is present in the Aadhaar database.
That loophole reportedly made it easy for anyone to get unrestricted access to the database by paying as low as Rs. 500 or around $8. Now, this new revelation may make many of us have lesser hope for the UIDAI and can also abolish the claims made by the Government and UIDAI that Aadhaar data is in safe hands.
