New Delhi: An unsecure application programming interface (API) operated by a state-run utility service provider is leaking Aadhaar details, according to a report published on Saturday.ZDNet, a US-based technology and business news website, has reported that a “data leak on a system run by a state-owned utility company can allow anyone to download private information on all Aadhaar holders, exposing their names… and information about services they are connected to, such as their bank details”.The publication, however, is withholding details of the security vulnerability and the name of the utility service provider until the issue is fixed.The details of this data leak were first discovered apparently by a New Delhi-based security researcher named Karan Saini. “The utility provider, which we are not naming, has access to the Aadhaar database through an API, which the company relies on to check a customer’s status and verify their identity. But because the company hasn’t secured the API, it’s possible to retrieve private data on each Aadhaar holder, regardless of whether they’re a customer of the utility provider or not,” the report notes.According to Saini, the API’s endpoint, “has no access controls”, allowing anyone to query “Aadhaar numbers against the database without any additional authentication”.A questionnaire has been sent to the Unique Identification Authority of India (UIDAI) and this story will be updated if and when a response is received.The report also notes that because the API “doesn’t have any rate limiting in place” it allows potential hackers and attackers to “cycle through every permutation of Aadhaar numbers and obtain information each time a successful result is hit”.According to ZDNet, the endpoint not only pulls data on that utility provider’s customers, but also allows access to the Aadhaar details of people who have “connections with other utility companies as well”.
