The website managed by the Corporation of Chennai has inadvertently leaked the private details of citizens born in Chennai since 1910, by not putting in any verification checks whatsoever.
Anyone on the Internet can enter any random date and gender to download birth certificates of Chennai citizens born since 1910 as pdf files. The breach was pointed a few hours go in a tweetstorm by Twitter user ST_Hill.
As mentioned by him, we were able to download birth certificates as pdf files without entering any security checks, other than a number verification code.
It's quite likely that once the entire internet discovers this data breach, phishers and hackers could easily steal the identities of citizens on from the portal through crucial details like date of birth, address, mother's name, which form a part of security checks in online commerce and banks.
What a horrible understanding of privacy and personal data. And we think Aadhaar will be the one to create this problem. Sigh!
-- St_Hill (@St_Hill)December 23, 2015
Senthil also points out a simple hack that enables users to skirt the number verification sequence - simply by editing the date in the URL. This gives identity thieves an even easier backdoor for mass identity theft. In the same Twitter thread, Karthik Balakrishnan reveals that the URLs are sequential, making it even easier for a hacker to design a script and scrape all the personal data from the certificates.
Such data breaches do bring into question whether government bodies have fully understood the importance of keeping citizen data private and secure in their rush to digitise India. Earlier this year, Trai had released emails with names of everyone who had submitted responses to its consultation paper on net neutrality.
Gadgets 360 has emailed the Chennai Corporation heads informing them about this breach, and has requested a comment asking for an update on activity logs and latest visitors statistics on its website.
No comments:
Post a Comment