More

    Indane Gas Company Leaks Aadhaar Details of Millions!

    Another day. Another leak.

    If you’re not bothered by any data leaks, well, at least now you should. ‘Coz it’s Aadhaar now!

    Indane Gas Company Leaks Aadhaar Details of Millions!

    Indane Gas Company Leaks Aadhaar Details of Millions!
    Aadhaar Details Leaks

    Remember what they’ve taken from us while registering?

    Your retinal scan, fingerprints, sensitive details of you and your family. That’s more than enough to hack you and if possible, make money.

    Aadhar number is just like Social Security Number which records complete details of a citizen. And because of some vulnerabilities, they’re often exposed explicitly. Today’s exposure is of Aadhaar’s from Indane company’s portal.

    Indane Oil and Gas company is a fuel service provider and a subsidiary of IOC (Indian Oil Corporation), which is the world’s second largest LPG marketer according to Wiki.

    The leak was tested and confirmed by Baptiste Robert (a.k.a Elliot Alderson), a French security researcher having experience in finding such security leaks.

    Aadhaar Card Leaks
    Aadhaar Card Leaks

    On February 10th, Elliot on Twitter received a private message from a guy spotting the vulnerability. He shared a URL which contains Consumer’s Aadhaar no. and their “Total records” via associated dealer’s ID. So if we managed to get the dealer’s ID’s, we could open the “Total Records” of every consumer he serves.

    And Elliot did it!

    There’s an Android app of Indane which too has an endpoint that’s leaking. That’s where Elliot learned about Dealer IDs from “Locate Distributor” option.

    He then coded a python script which gave him the IDs of 11,000+ dealers.

    Indane Leaks Aadhar Details
    Indane Leaks Aadhar Details

    How big is this leak?

    From the obtained dealers IDs, Elliot scraped out the details of 5.7million consumers, which includes their names, addresses, phone and Aadhaar numbers etc.

    And in his process of surfacing much, his script was blocked (maybe by Indane) and couldn’t get further. But from what he got, the leak was estimated to be around 6.7million customers data.

    His full blog post – https://bit.ly/2EhI92M

    The leak was even indexed by Google as the Indane’s dealers portal was poorly authenticated.

    There’s no comment by Indane till now, and are yet to respond.

    Recent Articles

    Related Stories

    Stay tunes - Get the daily news in your inbox