Basically, we are piggybacking on their to make our requests. And since there is no login required, UIDAI thinks that all the requests are originating from NSDL servers. Which is clearly not the case, as I can make as many requests as I want for free. This, in fact, should have been chargeable by the other AUAs.

In this case, my intention was not to mess around with anything related to . I understand that this is not such a serious issue because I can’t retrieve the information, I can only verify it. I believe if you look closely into the AUAs, KUAs, and SUB-AUAs which are only going to increase in future, you will find for sure. Remember the Srivastava case from last year who made an e-KYC app(as far as I remember he also did something like this but for the KYC )

I understand that your infrastructure and the way you store the data is secure but that doesn’t mean that there are no vulnerabilities along the way.

The issue here is that I found this loophole in less than 5 minutes in a SUB-AUA that performs demographic for the general public. I believe that on closer inspection, you can find implementation vulnerabilities in biometric and AUAs too.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here