Any Indian DigiLocker Account Could’ve Been Accessed Without Password



The Indian Government said it has addressed a critical vulnerability in its secure document wallet service Digilocker that could have potentially let a remote attacker bypass mobile one-time passwords (OTP) and sign in as other users.

Discovered separately by two independent bug bounty researchers, Mohesh Mohan and Ashish Gahlot, the vulnerability could have been exploited easily to unauthorisedly access sensitive documents uploaded by targeted users’ on the Government-operated platform.

“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” Mohesh Mohan said in a disclosure shared with The Hacker News.

Read more…