6.7 Million Aadhaar card numbers leaked by Indane gas endpoint

LPG Gas company leaked names and addresses of 6 700 000 Indian customers

Indane LPG leaked names, addresses and Aadhaar card numbers of 6 700 000 customers.

Thanks to the research by a security researcher Elliot Alderson (also known as Baptiste Robert) and the Indian malware researcher who is seeking to stay anonymous, the official site of Indane gas endpoint was found leaking personal information. According to the report, the company has been leaking data related to Aadhaar numbers,^[1] names and addresses. Unfortunately, careless company's attention to users' data involves millions of users.

The investigation was started after Elliot Alderson received a message about the leakage.^[2] The hyperlink that Alderson got from the anonymous revealed more details about the issues. However, once Indane located researcher's IP address, he got blocked. Nevertheless, he is still assuming that the final number of affected customers should be up to 6.7 million users.^[3]

The lack of authentication in the local dealers portal

The whole research started at the beginning of February, once Elliot Alderson, as he reports in his Medium blog post, received a message on Twitter with a few keywords that caught his attention. The Indian researcher who wanted to remain anonymous revealed that he had discovered the sensitive data leak that involves Aadhaar card numbers and Indane gas endpoint.

Once both researchers started revealing details about the incident, they discovered that, due to the lack of authentication in the website, Indane has been leaking sensitive details about its customers. The hole, which was found in the Indane's online dealers portal, gives the opportunity to access information about consumers and dealers.

By using some of the server features, French researcher aka Elliot Alderson found out total records of dealers in the local portal, and, with the additional help of running a python script, revealed more dealer IDs. As the report states:

After a few minutes, I wrote this python script. By running this script, it gives us 11062 valid dealer ids. After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak.

Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.

Not the first Aadhaar number leak

After some additional reports about this incident, IndianOil was quick to deny claims posted by security researchers and stated that there should be no issue with names or addresses revealed since the company is only using Aadhaar numbers for the LPG transfers.^[4] In their Twitter post, Indian Oil Corp Ltd stated:

IndianOil in its software captures only the Aadhaar number which is required for LPG subsidy transfer. No other Aadhaar related details are captured by IndianOil. Therefore, leakage of Aadhaar data is not possible through us.

The same post indicates that no Aadhaar numbers are hosted on their website. However, additional researchers have analyzed the database sample provided by Alderson himself. These reports revealed that the URL hyperlinked to each customer of the company displays Aadhaar numbers on the web page. Unfortunately, this is not the first incident regarding Aadhaar numbers. Unprotected third-party databases have been leaking Aadhaar details of Indian citizens before.^[5]