UMANG portal flaws exposed user data across hundreds of services, researchers find
Multiple vulnerabilities in the Unified Mobile Application for New-age Governance (UMANG), a government portal that aggregates hundreds of public services offered by the Union and
Multiple vulnerabilities in the Unified Mobile Application for New-age Governance (UMANG), a government portal that aggregates hundreds of public services offered by the Union and State Governments, are leaving potentially millions of Indians’ data exposed across a variety of databases, including those from the Employees’ Provident Fund Organisation (EPFO), according to two security researchers who shared their findings with The Hindu. The vulnerabilities, which have likely existed for years, affect several services tested on the UMANG portal, which has onboarded over 2,400 services. It stems from the architecture of the portal itself, said the researchers, Akshay C.S. and Viral Vaghela. “Almost everything is broken by design,” Mr. Vaghela said. UMANG was launched nine years ago by Prime Minister Narendra Modi at the fifth Global Conference on Cyber Space, which took place in Delhi. EPFO downtime The data exposed includes Unique Account Numbers (UAN) with the EPFO, LPG cylinder booking details with at least one major oil marketing company, and Aadhaar numbers across several services where a user’s ID details are saved. The Aadhaar numbers were found across many services in plaintext, even though such storage is disallowed by the Aadhaar Act, 2016. The Aadhaar module itself within UMANG was not vulnerable. The EPFO module is UMANG’s most-used service, recording over 40 crore transactions over the last three months — fifteen times more than Bharat Aadhaar Seeding Enabler, the next largest use case.
The Ministry of Electronics and Information Technology acknowledged the vulnerabilities in a statement to The Hindu. “Our development and security teams have carefully examined the observations and are implementing the necessary corrective and preventive measures,” the Ministry said. “The plaintext information in the concerned APIs has been appropriately encrypted.” The Ministry added that it has “reviewed the API transaction logs for the past three months” and found that “transaction volumes” were consistent and that it continued to keep watch on activities on the UMANG portal. Also read: PF interest to be credited by July 15 to member accounts: Minister The Hindu is withholding the precise technical details of the vulnerabilities, as they remain active despite the above interventions. The encryption the IT Ministry referred to is “flawed and inadequate,” Mr. Akshay said, adding that a simple workaround allowed it to be cracked anyway. At The Hindu’s request, the researchers shared their findings with Karan Saini, another independent security researcher, who termed the vulnerabilities “significant”. “Considering that rate limiting was implemented and the large number-space of EPFO UANs,” Mr. Saini said, referring to the steps taken by the site to limit the number of requests a user can make, “it is unlikely that the vulnerability could have been exploited to mirror the entire EPFO database.” Still, he added, it “could potentially have been abused by cybercriminals in possession of UAN numbers to siphon funds at scale by allowing for both changing of bank account details and initiating payouts, which is very concerning.” “The fixes initially implemented following the disclosure appear to do nothing to secure the system and instead confuse obscurity with security, while also introducing another vulnerability in the process,” Mr. Saini said.
