DigiLocker Flaw Put Over 3.8 Crore Accounts at Risk: Researcher

The DigiLocker team has now fixed the issue.

Advertisement
By Jagmeet Singh | Updated: 3 June 2020 10:07 IST
Highlights
  • DigiLocker was found to have a flaw in its authentication mechanism
  • It allowed anyone to gain access to user accounts
  • DigiLocker team was told about the vulnerability last month

DigiLocker has over 3.84 crore registered users

DigiLocker, an online service from the government that allows individuals to store documents digitally, was found to have an authentication flaw, putting the data of crores of users at risk. The issue was first discovered by a researcher last month and existed in the sign-in process of the service. This could have allowed bad actors to bypass the two-factor authentication and access sensitive personal information. The flaw has now been fixed. Notably, the online facility by the government has over 3.84 crore users.

A security researcher, Ashish Gahlot, discovered the vulnerability in the DigiLocker system while analysing its authentication mechanism. The researcher found that although the default mechanism asks for a one-time password (OTP) and a PIN to log in to the digital storage, he was able to bypass the authentication after adding an Aadhaar number and intercepting the connection to DigiLocker and changing the parameters, as explained by the researcher in a post on Medium.

Advertisement

The authentication flaw allowed anyone with sufficient technical skills to set up a new PIN and even access the DigiLocker account, without requiring any passwords. The flaw could also allow attackers to acquire a user profile by bypassing the OTP process and modifying the response using an interception tool.

Gahlot discovered the vulnerability last month and reported it to the DigiLocker team shortly. The team fixed the PIN bypassing issue in a couple of days, however, the OTP bypass issue was resolved on Monday.

Advertisement

In a statement released late-Tuesday, DigiLocker team acknowledged the vulnerability and said that it had "crept" in the code when new features were added to the platform recently. The team also claimed an attacker could only compromise the account of a DigiLocker user if they had the username of that account. Further, the team mentioned that no data was compromised because of the said vulnerability. As we mentioned earlier, the flaw is now patched.

As per the latest statistics available on the DigiLocker site, there are more than 3.84 crore registered users on the platform. It also issued over 375 authentic documents and has a total of 155 issuer organisations and 45 requestor organisations. The platform is used to store documents such as Aadhaar card, insurance letters, income tax (IT) returns, mark sheets by various state and central boards, and driving licence issued by state governments. Moreover, it is handled by the National e-Governance Division (NeGD), led by the Ministry of Electronics and Information Technology (MeitY).

Advertisement

Editor's Note: Updated with response from DigiLocker team.


In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement
Popular Mobile Brands
  1. Oppo K15 Launch Date Confirmed; Key Specifications Revealed Ahead of Debut
  2. Tecno Camon 50 Ultra 5G With a 6,500mAh Battery Debuts in India: See Price
  3. WhatsApp Usernames Are Reportedly Available for Some Android and iOS Users
  1. Redmi Note 17 Pro Global Variant Reportedly Appears on NBD Database Alongside Poco Model
  2. Google Pixel 11a Codename Reportedly Spotted in Phone App
  3. Huawei Mate XT 2 Leaked Patent Reveals New Tri-Fold Design and Folding Mechanism
  4. Airtel Unlimited 5G Data Subscribers Reportedly Cannot Share 5G Data via Mobile Hotspot: Here's What We Know So Far
  5. Lenovo Legion C700 Teased as a Cloud Gaming Handheld Ahead of August Launch
  6. Marvel's Wolverine Gets New Trailer That Will Play Ahead of Christopher Nolan's The Odyssey in Select Theatres
  7. Airtel Quietly Removes Rs. 549 Individual Postpaid Plan in India; Rs. 699 Plan Becomes Next Upgrade
  8. Poco M8 Power, Poco X8 India Launch Timeline Tipped; Could Arrive as Rebranded Redmi Note 17 Series
  9. Samsung Galaxy S25 Series Could Get Galaxy S26’s Horizontal Lock Camera Feature With One UI 9 Update
  10. Asus Pad India Launch Date Announced as Company Reveals Key Specifications
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.