A security researcher named Sourajeet Majumder recently discovered and reported a critical bug on the West Bengal government’s e-District web portal. This bug inadvertently exposed sensitive documents, including residents’ Aadhaar numbers, identity cards, and fingerprints. Majumder identified this vulnerability in the portal that offers government services such as obtaining birth and death certificates and building applications. The flaw made it possible to access land deeds, which contain ownership records, by guessing sequential deed application numbers.
To exploit this vulnerability, Majumder utilized publicly available tools to analyze the network traffic, allowing him to test and identify valid application identification numbers. Upon gaining access to an application identification number, anyone with a login to the e-District system could access land deeds, some of which contained personal information and complete sets of fingerprints from multiple individuals. These deeds also disclosed government-issued identity documents, including confidential Aadhaar numbers, essential for various services in India.
Concerned about potential identity fraud, Majumder reported the vulnerability to India’s computer emergency response team, CERT-In, and the West Bengal government. Prompt action was taken to address the issue and secure the exposed data. It remains unknown if other individuals had discovered this bug prior to Majumder’s findings. Given the recent increase in fraud associated with the theft of biometric information, securing such data is of paramount importance.