French researcher "finds" 20,000 Aadhaar cards online, UIDAI dismisses threats
What's the story
French security researcher Robert Baptiste (alias Elliot Anderson) is on a privacy checking spree. In the last few days, he claims to have exposed vulnerabilities on ISRO and Indian Post's websites and helped them correct the issues. Now he claims to have "found" details of over 20,000 Aadhaar card-holders in three hours. But UIDAI has dismissed the reports as "irresponsible" and "far from truth."
Case
How did he "find" 20,000 Aadhaar cards?
Baptiste, who operates @fs0c131y, tweeted early yesterday: "I will play a game tonight: How many #Aadhaar card I can found in 3 hours? Note: All cards must be available publicly." He then kept posting updates about how many Aadhaar cards he has "found." By 4:17am, he claims to have "found more than 20000 Aadhaar cards available publicly on the web" with "a manual search."
Twitter Post
'Repeat after me: #Aadhaar is secure, #Aadhaar is secure...'
In less than 3 hours, I found more than 20000 Aadhaar cards available publicly on the web. Repeat after me: #Aadhaar is secure, #Aadhaar is secure...
— Elliot Alderson (@fs0c131y) March 10, 2018
UIDAI
Publication of details doesn't mean security threatened: UIDAI clarifies
Hours later, without addressing anyone, UIDAI issued several tweets. "Aadhaar by its very nature needs to be shared openly," it said. But "if anybody unauthorizedly publishes someone's personal information, he can be sued for civil damages by the person whose privacy is infringed." However, such publication "in no way it threatens the system which has issued those IDs," like banks or income tax system.
Twitter Post
'Not a single breach in biometric database in eight years'
It is reiterated that Aadhaar remains safe and secure and there has not been a single breach from its biometric database during that last eight years of its existence. 11/11.
— Aadhaar (@UIDAI) March 11, 2018
Others
When Baptiste helped ISRO, Indian Post check vulnerabilities
In recent days, Baptiste revealed that one of ISRO's computers "had been compromised by a well known Remote Access Trojan called XtremeRAT." After ISRO contacted him, "they told me the issue is now fixed." He also raised an issue with Indian Post's website: "One of the @IndianPostOffice subdomain was vulnerable to an Apache vulnerability aka CVE 2017-5638." This too has been fixed, he says.
Twitter Post
Apollo Hospitals next on Baptiste's list?
Hi @HospitalsApollo, a serious security issue has been discovered in your system, can you contact me by DM? The personal data of millions of people are at stake, this is important.
— Elliot Alderson (@fs0c131y) March 12, 2018