On February 10, I received a very interesting private message on Twitter.
There is “Aadhaar” and “leak” in the same sentence, this guy managed to get my interest. After a few messages, he sent me a url.
This page contains a lot of juicy information:
- The hyperlink associated to the “Consumer No” contains a parameter called “aadhar_no”
- The “Consumer Name”
- The “Consumer Address”
- On the bottom right we have the “Total Records”
- In the url, there is a parameter called dealerID
So due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers. But how big is this leak?
This is the dealer portal, so if we modify the value of the dealerID parameter, we can access the consumer infos of another dealer. So, to get the size of this leak we need to get the ids of the Indane dealers.
According to Wikipedia, Indane serves more than 90 million famillies through a network of 9100 distributors. Wow, we have a story here, I definitely need to investigate more.
Oh, they have an Android app, it can be interesting to look at it too.
In their app, there is the possibility to “Locate Your Distributor”. What is happening under the hood?
Bingo! When I use the “Locate Your Distributor” feature, the server send the dealer ids of the corresponding “bgadistrict”. With the dichotomy method I easily found that there is 714 bgadistrict.
Great, time to code! We have everything we need to get the size of this leak. Thanks to the endpoint found in the Android app, we will obtain all the valid dealer ids and then we will scrape all the “Total records” in the local dealer portal.
After a few minutes, I wrote this python script. By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.
Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.
- Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers
- Indane has 11062 dealers
- Total number of affected customer is around 6,791,200
02/10/19: Anonymous tip from a Twitter follower
02/15/19: Disclosure to Indane
02/19/19: Indane didn’t answer. Public disclosure