wordpress blog stats
Connect with us

Hi, what are you looking for?

French security researcher reveals series of security issues in Indian sites


A French Security researcher who goes by the pseudonym “Elliot Alderson” has been on a rampage of security testing Indian sites for vulnerabilities and data breaches after the denial prone UIDAI dismissed issues raised by him and repeated their assertions of Aadhaar being safe. This, frankly, is bait to any security conscious person who knows that any tech being deemed perfectly safe is meaningless and when claimed by the creator about their own tech signifies ignorant arrogance. Alderson, whose core area of competence appears to be Android apps and penetration testing proceeded to bring up increasing examples of security issues, leaving developers of various sites scrambling to respond to them.

He has pointed out security flaws in several Indian sites including Punjab police, ISRO, India Post, Apollo hospitals, Aligarh University, Mumbai University, Telangana NREGA, Bangalore City Police and PayTM among others. In most of the cases, he was able to get in touch with developers (India Post, ISRO, PayTM and others) and have the issues fixed before revealing details about them. Others have maintained silence. Others like PayTM or BSNL may have attempted to save face, but also fixed the reported issues and stopped defending them.

Alderson has brought up issues faced by Indian researchers in getting attention to security issues due to disinterest shown by the government in responding to bug reports. Only the UIDAI appears to have persisted along the route of dismissing the issues as unimportant.

Among the security issues he flagged were the details of Aadhaar cards found on various government websites. This, by no means is a new issue. Indian researchers and tech savvy individuals have been flagging these for years. However, the typical response of the state being to shoot the messenger, there is an increasing reluctance to take on problems by trying to prevent problems for the state.

What is proving different with Alderson, is that besides knowing tech, he is not under Indian jurisdiction and not intimidated by the typical tactics of the UIDAI in silencing reports of security issues. Instead, they seem to provoke him to do more to make his point indisputable. On his part, like a lot of tech professional objecting Aadhaar, he has stated that he is not against Aadhaar, but sees the lack of seriousness about security as a problem.

Advertisement. Scroll to continue reading.

While most organizations he reported vulnerabilities to, have addressed the issues promptly and with minimum fuss—as is the norm in tech world—the UIDAI in its typical style has dismissed them and discredited him, instead of transparent disclosure. This has clearly backfired and Alderson is focusing on Aadhaar with increasing tenacity.

The resultant back and forth played out on Twitter, much to the amusement of those who have tried unsuccessfully to get UIDAI to take data breaches seriously.

The data leaks tweets

Alderson had, in the past brought up issues with the mAadhaar app, security of websites providing Aadhaar bridge related services and more. He then tweeted about finding details of some 20,000 Aadhaar cards on government websites.

Advertisement. Scroll to continue reading.

The UIDAI responded to this by saying that it was not a problem. “Putting such information is perfectly fine and is consistent with UIDAI policy of proactive disclosure and transparency under RTI. And no way it can be termed as leak by any stretch of imagination.”

He then went on to discover 20,000 details of Aadhaar cards on Indian government sites within 3 hours.

Advertisement. Scroll to continue reading.

The UIDAI responded to this with a series of incomprehensible tweets that veered from its standard assurance that all was well, to subtle threats about revealing Aadhaar card details and from asserting that there was no harm in Aadhaar data being revealed, as Aadhaar could not be misused, to saying that it contains private information and thus it should not be shared. The overall tone was that Alderson had not shown any security issue and was trying to raise baseless fears.

And of course,

Advertisement. Scroll to continue reading.

Alderson was not impressed.

Reacting sharply to the “unscrupulous elements” from UIDAI’s tweets, he tweeted a link to a folder left open on the PRIS site for Andhra Pradesh containing Aadhaar card images, including biometrics.

Advertisement. Scroll to continue reading.

He further said that he would start a bot to find Aadhaar card information left unsecured on the internet to tweet about the leaks.

And the war continues. It is the classic story of someone with nothing to lose and someone with too much to lose to admit anything. There seems little doubt that Alderson will continue his rampage making Aadhaar security issues public. There is little hope that the UIDAI will finally develop a sense of professional ethics and work to address flaws or ensure that the project does not continue to prevent further harm.

Advertisement. Scroll to continue reading.

What happens next remains to be seen.

However, one important question Alderson’s security reports and the UIDAI’s responses have raised remains:

If the UIDAI is not able to prevent a determined researcher reporting security issues, what is the chance they could prevent a determined hacker exploiting them?

But we know the answer to that one. They don’t care.

Written By

Vidyut is a commentator on socio-political issues with a keen interest in behavioral sciences, digital rights and security and manages to engage her various proficiencies to bring an unusual perspective to issues related with the intersection of tech and people.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



While the market reality of popular crypto-assets like Bitcoin may undergo little change, the same can't be said for stablecoins.


Bringing transactions related to crypto-assets within the tax net could make matters less fuzzy.


Loopholes in FEMA and the decentralised nature of crypto-assets point to a need for effective regulations.


The need of the hour is for lawmakers to understand the systems that are amplifying harmful content.


For drone delivery to become a reality, a permissive regulatory regime is a prerequisite.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ