West Bengal government website exposes Aadhaar numbers and other documents

Privacy concern: A security flaw on the West Bengal state government website led to the accidental exposure of critical documents, including Aadhaar numbers, identity cards, and fingerprint copies of residents. The flaw was rectified last week following its disclosure to local authorities by a security researcher.

The bug was identified on the e-District web portal of the West Bengal government, a platform enabling state residents to access government services online, such as acquiring birth and death certificates and submitting building applications. This vulnerability allowed potential access to land deeds, which contain extensive records about landowners, through guessing sequential deed application numbers.

Application identification numbers, and unique 16-digit codes assigned by the state government when a resident applies for a digital copy of a deed, were integral to this flaw. By analysing network traffic with tools like Burp Suite, the security researcher could iterate through lists of sequential application numbers and determine their validity based on server responses.

Land deed data 

With access to an application identification number, individuals with a login to the e-District system could obtain a copy of a land deed. The exposed deeds included names, photographs, full fingerprint sets from both hands and government-issued identity documents, including confidential Aadhaar numbers—a vital component of India's national identity and biometric database, necessary for various essential services.

Upon discovering this vulnerability, the researcher promptly reported it to India's computer emergency response team (CERT-In) and the West Bengal government, expressing concerns about potential identity fraud. The bug was promptly fixed to mitigate risks.

It remains unknown if others had exploited this bug before its discovery. Despite attempts, representatives from the West Bengal government and CERT-In have not provided comments. The e-District website boasts having processed over 17 million applications, although the exact number related to land deeds remains undisclosed. Recent local media reports suggest an increase in fraud tied to alleged biometric data theft, possibly used to empty bank accounts.