Digilocker user’s phone numbers exposed [Fixed]
DigiLocker is an Indian digitization online service provided by Ministry of Electronics and Information Technology (MeitY), Government of India under its Digital India initiative. This is a story about how I was able to disclose the mobile number of any digilocker user.
Issue 1 - Sign in with OTP
In 2020, I noticed a new sign (Sign in with OTP) feature at digital locker and found if a user tries to login with this new sign in feature, then mobile number of user’s are disclosing in HTTP response.
Steps to reproduce:
Step 1- Setup your Proxy and Browse
https://accounts.digitallocker.gov.in/signin > Put the any `Mobile/ Aadhaar / Username` > Sign in with OTP > Go to proxy history > Notice the [ signin/send_otp ] request and observe the response.
Issue 2 - Forgot security PIN
I noticed an issue while exploring all new feature’s and found if a user forgot his security pin, then mobile number of user’s discloses in HTTP response.
Steps to reproduce:
Step 1- Setup your Proxy and Browse
https://accounts.digitallocker.gov.in/signin > Forgot security PIN? >
Fill the details and click Next
Step 2- Click on Resend the OTP > Go to proxy history > Observe the
POST request [ signin/forgotpin_send_otp_v4 ] > Observe the response
you can see user mobile number
Impact:
This vulnerability allows an attacker to access the mobile numbers of other users, which could potentially be used for spam or phishing attacks. It could also lead to privacy violations.
Note:
I don’t look for vulnerabilities in government websites or projects. This was just an accident.
