DigiLocker fixes a vulnerability in its registry system

Posted date 19/06/2020

02/06/2020

DigiLocker, the official platform of the Government of India for the issuance and verification of documents and certificates, has fixed a critical vulnerability that would have allowed a remote attacker to omit OTP (one-time passwords) from a device mobile and login as other users.

The vulnerability was discovered individually, but on the same dates, by two researchers, Mohesh Mohan and Ashish Gahlot, who reported it to CERT-In and DigiLocker, respectively.

In the official published statement, DigiLocker clarifies that all the information of its users remains safe and secure, and at no time has it been compromised.

References

02/06/2020

twitter.com

Clarification about Reported Vulnerability on DigiLocker
01/06/2020

medium.com

How I got access to 38M+ DigiLocker accounts
03/06/2020

yetanothersec.com

How I managed to gain access to The Indian Digital treasure – 3 Billion documents on Digilocker
08/06/2020

thehackernews.com

Any Indian DigiLocker Account Could've Been Accessed Without Password

Etiquetas