
After major flaws were found in the CBSE re-examination portal, now two researchers Akshay CS and Viral Vaghela have found flaws in India’s UMANG portal, which led to the loss of sensitive data of millions of Indians, including Base Number and UAN details of EPFO are included, may be revealed. The researcher told The Hindu that the mentioned flaws probably exist for years and affect many services available on the UMANG portal. Vaghela was quoted in the report as saying, almost everything is broken by design. The government’s reply has also come out in this matter, about which you should know.
Government’s response
The Ministry of Electronics and Information Technology acknowledged these shortcomings in a statement to The Hindu. The ministry said, our development and security teams have carefully examined the observation and are implementing the necessary improvements and preventive measures. Plaintext information is properly encrypted in the corresponding APIs. The ministry further said that it reviewed the API transaction logs for the last three months and found that transaction volumes were consistent and continued to monitor activity on the portal.
Flaws in UMANG portal
Due to security reasons, the exact technical details of the flaws have not been disclosed, because it is reported that the flaws are still active on the UMANG portal. According to the report, due to these vulnerabilities, cyber criminals with UAN numbers could withdraw funds on a large scale, which would have allowed both to change bank account details and initiate payments.
After finding flaws in the UMANG portal, researchers informed the IT ministry and the Computer Emergency Response Team, India, or CERT-In. CERT-In issues alerts and helps organizations respond to cybersecurity vulnerabilities. Soon after these shortcomings were exposed, EPFO shut down its online portal for migration and some services remained unavailable this week. Researchers said they suspected the move was related to their alerts, which were also sent to the organization.
Researchers claim that Aadhaar numbers were visible in plain text in many services, where the user’s identity is saved, even though such storage is not allowed under the Aadhaar Act, 2016. However, according to the report, the Aadhaar module itself within UMANG was not vulnerable. The report said the exposed data may include EPFO unique account numbers, LPG cylinder booking details with at least one major oil marketing company. The Employees Provident Fund Organization (EPFO) module is the most used service of the portal, with more than 40 crore transactions in the last three months.
Read this also- Will this phone of Oppo be the camera king? Not just one, you will get 3 200MP cameras
Leave a Reply