UIDAI puffs its chest, threatens ZDNet for the crime of journalism
Here we go again with shooting the messenger. Whenever someone points out leaks, breaches, or vulnerabilities involving Aadhaar data, the UIDAI often responds by denying most claims, and stating that because there’s been no breach of their database, there’s nothing to worry about. Even when there is something to worry about.
Now UIDAI is making threatening noises about suing ZDNet over a report by Zack Whittaker. Zack had reported on a researcher’s findings that a state-run utility, Indane, was leaving every person’s Aadhaar data vulnerable by failure to secure their API properly. ZDNet reported:
The utility provider Indane has access to the Aadhaar database through an API, which the company relies on to check a customer’s status and verify their identity.
But because the company hadn’t secured the API, it was possible to retrieve private data on each Aadhaar holder, regardless of whether they’re a customer of the utility provider or not.
The API’s endpoint — a URL on the company’s domain — had no access controls in place, said Saini. The affected endpoint used a hardcoded access token, which, when decoded, translates to “INDAADHAARSECURESTATUS,” allowing anyone to query Aadhaar numbers against the database without any additional authentication.
Saini also found that the API didn’t have any rate limiting in place, allowing an attacker to cycle through every permutation — potentially trillions — of Aadhaar numbers and obtain information each time a successful result is hit.
Within hours after the report appeared, the affected endpoint was taken offline.
So why is the UIDAI suggesting it might sue ZDNet? For what? Reporting on a potentially massive data breach involving Aadhaar data? What did UIDAI want ZDNet to do? Keep quiet while criminals figured out how to access all the data in their database by taking advantage of the API security issue on Indane’s site?
ZDNet reached out to UIDAI numerous times, according to Whittaker’s report. Why didn’t UIDAI respond appropriately? Why didn’t UIDAI act like an accountable agency and say, “It appears there is a potentially serious security issue involving an entity that enables access to our database. We are grateful to the researcher for discovering this so that we can work with the agency to improve security.” Their response of just deny, deny, deny and to threaten ZDnet is an irresponsible and dangerous strategy. As Justin Shafer recently commented in his own case, if you legally threaten researchers (or the media), then the next time someone finds something serious, they may not let you know.