Aadhaar bug that exposed biometric data fixed by West Bengal government

A security researcher was able to obtain digital copies of land deeds from the e-District website by guessing sequential application identification numbers.

An independent security researcher has revealed that a bug on the e-District web portal of the West Bengal government, which was fixed last week, exposed the biometric data and Aadhaar numbers of millions of state residents. The e-District web portal allows state residents to access various government services online, such as obtaining land deeds and certificates.

According to a TechCrunch report, the researcher, Sourajeet Majumder, said that he was able to obtain digital copies of land deeds from the e-District website by guessing sequential application identification numbers – or unique 16-digit numbers assigned to each deed application. The land deeds contained the names, photos, fingerprints, and identity documents of the owners of a piece of land. Some deeds involved multiple owners.

The identity documents included Aadhaar numbers, which are confidential and linked to India’s national identity and biometric database. Aadhaar numbers are required for many essential services, such as banking, cell phone plans, and government benefits.

Majumder said he reported the vulnerability to India’s computer emergency response team (CERT-In) and the West Bengal government, fearing that the exposed data could be used for identity theft and fraud.

This incident comes amid a surge in fraud cases involving the alleged misuse of biometric information by criminals who access bank accounts and other services using stolen or cloned fingerprints. The security of Aadhaar data has been a subject of controversy and debate in India for years.