In the era of Digital India, where government services are available to people at the click of a button, a major security breach has been discovered in the UMANG portal, the country’s largest government service aggregator. Two cybersecurity researchers revealed that this flaw in the UMANG portal has exposed critical data of millions of citizens, such as Aadhaar numbers and EPFO UANs, to hackers and cybercriminals.
This is a major security flaw in the Government of India’s UMANG portal. Cybersecurity researchers Akshay CS and Viral Vaghela have claimed that this flaw puts the data of millions of Indians, including Aadhaar numbers and EPFO UAN details, at risk of being leaked. According to a report in The Hindu, this security flaw may have existed for several years. Viral Vaghela stated that the entire system is insecure by design.
Researchers have claimed that users’ Aadhaar numbers were visible without any security protection in several services of the Umang portal, which is against the rules of the Aadhaar Act, 2016. However, the main Aadhaar module within the Umang app was secure.The leaked data also includes EPFO UAN numbers and LPG gas cylinder booking details.
EPFO is the most frequently used service on the Umang app. According to the researchers, cybercriminals could have exploited this security flaw by changing any user’s bank account information and siphoning off PF funds.
After the researchers reported this vulnerability to the IT Ministry and CERT-In, the Computer Emergency Response Team, the government’s Ministry of Electronics and Information Technology took action and acknowledged the security flaw in the portal. The ministry stated that its teams have addressed the issue and the affected APIs have now been encrypted.
However, researchers say the government’s encryption is very weak and can be easily bypassed.
This incident comes at a time when the threat of misuse of AI models like Claude Mythos in cybersecurity has increased. Such advanced models can easily find security flaws that escape human attention.
According to IT Secretary S. Krishnan, CERT-In has created a war room to audit the security of government code, where open-source AI models are being used.
