Reseachers have found major vulnerabilities in the UMANG portal that can put data of millions of Indians at risk. (Representational image made with AI)

UMANG portal flaw may have exposed Aadhaar-linked data of millions, govt responds

Researchers have found flaws in India's UMANG portal that may put data of millions of Indians at risk by potentially exposing EPFO Unique Account Numbers, Aadhaar numbers, LPG bookings, and more. The UMANG portal links over 2,400 different government services.

by · India Today

In Short

  • Researchers find major flaws in UMANG portal
  • Aadhaar-linked data of millions potentially at risk
  • Government says it is implementing corrections

After the CBSE re-examination portal was found to have major vulnerabilities, now two researchers – Akshay CS and Viral Vaghela – have found flaws in India’s UMANG portal potentially exposing sensitive data of millions of Indians, including Aadhar numbers, and EPFO’s UAN details.

The researchers told the Hindu that the reported flaws may have existed for years and affect several services available on the UMANG portal. “Almost everything is broken by design,” Vaghela was quoted as saying in the report.

The Unified Mobile Application for New-age Governance (UMANG) was launched in November 2023 by Prime Minister Narendra Modi at the fifth Global Conference on Cyberspace in New Delhi. The portal brings together over 2,400 services from union and state governments, including pensions, healthcare, PF balance, and certificates.

What are the reported UMANG portal flaws?

The researchers claim that Aadhaar numbers were visible in plaintext across many services, where a user’s identity is saved, even though such storage is not allowed under the Aadhaar Act, 2016. Though, the Aadhaar module within UMANG itself was not vulnerable, according to the report.

The exposed data may include EPFO Unique Account Numbers, LPG cylinder booking details with at least one major oil marketing company, the Hindu report adds.

The Employees' Provident Fund Organisation (EPFO) module is the portal’s most-used service, with more than 40 crore transactions over the last three months, which is fifteen times more than Bharat Aadhaar Seeding Enabler, the next largest use case.

Precise technical details of the flaws have not been revealed for security reasons as the vulnerabilities are reportedly still active on the UMANG portal.

As per the report, the flaws could’ve allowed cybercriminals in possession of UAN numbers to siphon funds at scale by “allowing for both changing of bank account details and initiating payouts.”

After finding vulnerabilities in the UMANG portal, the researchers reported the vulnerabilities to the IT Ministry and the Computer Emergency Response Team, India, or CERT-In. CERT-In issues alerts and helps organisations respond to cybersecurity flaws.

Soon after their disclosure, the EPFO took down its online portal for a “migration," and some services remained unavailable this week. The researchers said they suspected the step was linked to their alerts, which were also sent to the organisation.

Government responds to UMANG portal flaw claims

The Ministry of Electronics and Information Technology acknowledged the vulnerabilities in a statement to the Hindu. “Our development and security teams have carefully examined the observations and are implementing the necessary corrective and preventive measures,” the Ministry said. “The plaintext information in the concerned APIs has been appropriately encrypted.”

The Ministry added that it “reviewed the API transaction logs for the past three months” found that “transaction volumes” were consistent and was continuing to monitor activity on the portal.

As per the researchers, the encryption referred to by the Ministry was “flawed and inadequate” and that a simple workaround allowed it to be cracked.

This report comes at a time when there is growing fear around the potential misuse of advanced AI models like Claude Mythos in cybersecurity, if used by bad actors. Such models can find cybersecurity flaws which may have not been spotted by humans, making it easier to potentially hack websites or systems.

On Monday, IT Secretary S Krishnan revealed that CERT-in had launched a “war room” to audit crucial code used by the government with locally hosted open-source models. As per Krishnan, the models in the war room are believed “to be about 60–70 per cent as capable as Mythos.”

Though, he added that India was in discussions to get access to Mythos. He said, “Clearly, getting access to Mythos and similar advanced models is very high on the government’s priority list, and this is something that we have discussed with our counterparts in the US and with the respective companies.”

- Ends