Shulou(Shulou.com)05/31 Report--

There is an example analysis of vulnerabilities that attackers can access any account without a password in DigiLocker. Many beginners are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

The Indian government says it has fixed a serious vulnerability in its secure document wallet service, Digilocker, which allows remote attackers to bypass one-time dynamic passwords (OTP) and log in as other users.

The vulnerability was discovered by two independent vulnerability reward researchers, Mohesh Mohan and Ashish Gahlot, respectively. An attacker can easily exploit this vulnerability without authorizing access to sensitive documents uploaded by the target user on the platform operated by the government.

"the OTP function lacks authorization and an attacker can perform OTP authentication by submitting arbitrary legitimate user details and then tamper with the stream to log in as a completely different user," Mohesh Mohan said in a disclosure report. "

With 38 million registered users, Digilocker is a cloud-based repository that serves as a digital platform to help process documents online and deliver a variety of government services to citizens faster. Digilocker associates the user's mobile phone number and Aadhar ID (a unique identification number given to each Indian resident by the government).

According to the information published by Mohan, an attacker only needs to know the victim's Aadhar ID or associated mobile phone number or user name to gain unauthorized access to the target Digilocker account, prompting the service to send an OTP password, which is then exploited to bypass the login process.

It should be noted that the mobile app version of Digilocker uses a four-digit PIN to provide an extra layer of security. However, the researchers say that by associating the PIN code with another user, the API call can be modified to authenticate the PIN code and successfully log in as a victim.

This means that "you can authenticate SMS OTP as one user, submit the PIN code of the second user, and eventually, you will log in as the second user," Mohan said.

Also, the lack of authorization of the API endpoint for setting the secret PIN code actually means that the API can be used to reset the PIN code associated with a random user using the personal UUID.

Mohan added, "there is no session-related information on the POST request, so it does not bind any users."

In addition to the problems mentioned above, API calls from Mobile app are protected by basic authentication, and attackers can remove a header flag "is_encrypted:1." Bypass the authentication method. The researchers also found that the application implemented a weak SSL locking mechanism that could be easily bypassed using tools such as Frida.

Mohan reported the vulnerability to CERT-In on May 10, and Ashish reported it to DigiLocker on May 16, and DigiLocker said the vulnerability was fixed on May 28.

Digilocker acknowledged the vulnerability in a tweet last week, which wrote: "if an attacker knows the user name of a particular account, an individual's DigiLocker account may be compromised, which is the nature of the vulnerability. If you do not know the account user name and other details, no one can use this vulnerability to access the DigiLocker account."

The Digilocker team added, "after analysis, it was found that the vulnerability existed in the code of some recently added features. After receiving an alarm from CERT-In, the technical team gave priority to fixing the vulnerability within a day. This is not an attack on infrastructure, data, database, storage or encryption is not affected."

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.