In a six hour demonstration, a Bengaluru techie and entrepreneur showed the police how easy it was for him to access Aadhaar data from the UIDAI data base. Abhinav Srivastava was arrested last week for the data theft following a complaint by the UIDAI authorities.
Cyber crime police in Bengaluru recorded Abhinav's modus operandi which highlighted a glaring security chink, the lack of Hypertext Transfer Protocol Secure (HTTPS) in the URL that helped Abhinav access details. The founder of an Ola subsidiary firm, Qarth Technologies Pvt Ltd, Abhinav used shortcuts to access data from various websites that used Aadhaar data.
HTTPS consists of communication over Hypertext Transfer Protocol within a connection encrypted by Transport Layer Security. In simpler terms, it is a far better secure connection than the HTTP. HTTPS is aimed at authentication of the visited website and protection of the privacy and integrity of the exchanged data. The lack of it helped the accused hack into an e-hospital website.
On initial investigation, it was found that Abhinav accessed Aadhaar information from an e-hospital's server hosted by the National Informatics Centre. The hospital was a Know Your Customer user agency which has tied up with the UIDAI. Abhinav hacked into the hospital's system and linked the information on its server to an app that he developed.
The app, which was available on google store, has been removed now. It was able to redirect users to the e-hospital's servers to access KYC data. Even as he claimed that he did not steal any information but only gave access to a server, using Aadhaar data without prior permission from the UIDAI is a violation of the Aadhaar law.
Abhinav who holds a masters degree from IIT-Kharagpur used the loopholes in the e-hospital's URL to gain access to its unsecured servers. With his app, anyone could access details about anyone who had an Aadhaar card breaching the privacy of individuals. Following a complaint by the UIDAI, the High grounds police in Bengaluru booked Abhinav, his company and its promoters for accessing secure Aadhaar database and leaking information under sections 37, 38, 29(2) of Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act 2016, sections 65 and 66 of the IT Act.