Any Indian DigiLocker Account Could’ve Been Accessed Without Password

The Indian Government fixed a flaw in the secure document wallet service Digilocker that could have potentially allowed anyone’s access without password.

The Indian Government announced to have fixed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker to sign in as other users.

DigiLocker is an online service provided by Ministry of Electronics and IT (MeitY), Government of India under its Digital India initiative. DigiLocker provides an account in cloud to every Aadhaar holder to access authentic documents/certificates such as driving license, vehicle registration, academic mark sheet in digital format from the original issuers of these certificates. It also provides 1GB storage space to each account to upload scanned copies of legacy documents. The service has over 38 million registered users.

The flaw have allowed to bypass mobile one-time passwords (OTP) and access to access the sensitive documents stored in the wallet of any user.