Basically, we are piggybacking on their services to make our requests. And since there is no login required, UIDAI thinks that all the requests are originating from NSDL servers. Which is clearly not the case, as I can make as many requests as I want for free. This, in fact, should have been chargeable by the other AUAs.
In this case, my intention was not to mess around with anything related to Aadhaar. I understand that this is not such a serious issue because I can’t retrieve the Aadhaar information, I can only verify it. I believe if you look closely into the AUAs, KUAs, and SUB-AUAs which are only going to increase in future, you will find loopholes for sure. Remember the Srivastava case from last year who made an e-KYC app(as far as I remember he also did something like this but for the KYC API)
I understand that your infrastructure and the way you store the data is secure but that doesn’t mean that there are no vulnerabilities along the way.
The issue here is that I found this loophole in less than 5 minutes in a SUB-AUA that performs demographic authentication for the general public. I believe that on closer inspection, you can find implementation vulnerabilities in biometric authentication and AUAs too.