A vulnerability in Reliance Jio’s JioMoney wallet app exposed personal data of JioMoney users, according to an independent security researcher. Users’ Aadhaar numbers were exposed, along with details like their date of birth, when they verified their SIM card, and their JioMoney account MPIN.
MediaNama reached out to Jio for comment, and in response they have sent the following statement:
“ We have come across an unverified and unsubstantiated claim of personal data of JioMoney users being exposed. We confirm that there is no such issue in JioMoney. Prima facie, the claims appear to be mischievous attempts to malign our services. We assure our users that their data is safe and maintained with highest security.”
C.S. Akshay, the researcher, started scrutinizing JioMoney’s code when the service’s customer support was unable to resolve a grievance. “Absolutely irritated, I messed with Jio Money with [which] the issue resided and boom,” Akshay said, “a vulnerability was discovered!” Akshay put up a microsite where these details could be auto-fetched, but took it down — and deleted his tweets on the subject — after getting a call from Jio.
While Jio does not publish details about how many users are enrolled on JioMoney, the company encourages all its subscribers to download the entire Jio suite of apps, which includes JioMoney.
— Anivar Aravind (@anivar) July 3, 2018
JioMoney also runs a payments bank, and is partnered with several insurance companies that lets users make premium payments. It also has partnerships with Uber, Sodexo, Snapdeal and Dominos Pizza. The payments app is similar to Paytm in many ways, and is subject to RBI oversight on payments banks security. It’s unclear if this incident has reached the RBI’s radar.
Not the first time
This is not the first time Jio has had a vulnerability in its app ecosystem that exposed the data of users. In 2017, Imran Chhimpa, a small-town coder in Rajasthan, figured out a way to auto-fetch Jio users’ details from their phone numbers with a login to a Jio app used by retailers. Chhimpa wanted to do the same for other telcos’ subscribers as well, but hadn’t figured out how. He was later arrested, after he created a website that allowed people to search for Jio phone numbers and get personal data in return. It’s not clear if Chhimpa had customers’ Aadhaar numbers, because even though the website he created had a field for Aadhaar numbers, it doesn’t seem to have turned up any Aadhaar numbers in practice.