How I managed to gain access to The Indian Digital treasure – 3 Billion documents on Digilocker

During the beginning of May 2020, there was a large commotion about the arogyasetu app and its security after a so called “hack” by infamous political hacker named Elliot Alderson. In light of all this, we at the YAS (Yet Another Security) community, had some talks in our WhatsApp group. So, it turned out to be a discussion on techniques used for bypassing SSL pinning on the mobile apps. This whole discussion made be curious about other apps from India government and since I have worked on similar projects outside of India, digilocker caught my attention.

Hence, I downloaded the app and installed on my test devices and fired up my favorite toolset burpsuite + Frida. I used my homebrewed pinning bypass scripts to actively intercept the app’s communication with the backend. To my surprise, I found that digilocker was not matching with the basic security features of arogyasetu, such as custom root detection, custom ssl pinning checks all wrapped inside obfuscated binary.

That made it interesting, I decided to dig in, as I was not current user of the platform it asked me to signup first and setup a pin to access the system. The immediate thing that caught my eye on the request to set pin was it was a normal http request with no session, in layman’s terms, the platform allows an anonymous user to set pin for any active user of the platform. Shocking!!!

To give more technical context, internally the system denotes each user with a unique v5 UUID (v5 denotes it has enough entropy and that there is less chance of duplication and has enough randomness to it), so to set a new pin for the user all you need is to call the endpoint with uuid and new pin value.

All of this made me think about how to bypass sms otp of a user, because pin is asked after the OTP. So by looking at how the communication progresses between mobile app and backend server I came to conclusion that the steps of verifying sms otp and submitting pin are not linked together. Meaning you can do the sms otp as one user and submit pin of second user and finally you will end up logging in as second user. Bingo!!!

I figured all this by looking at the mobile app of digilocker, wait a minute there is a web portal for digilocker. I started to look at the web portal of digilocker, this then gave me more internal knowledge on the mobile app.  Here are some observations that I sent to CERT-IN and digilocker teams.

Timelines

May 10th – I reported this to CERT-IN
May 14th – CERT-IN finally acknowledged the issue
May 28th – CERT-IN confirmed the issues are fixed
June 3rd – I saw another blog with similar findings and decided to write one of my own.

Credits

Dedicated to all 215 members who are my hardcore brothers & sisters from YAS community. Thanks for all your support and inspiration to do this.

Detailed observations

Below is a summary of the findings that i found, I just gave risk rating based on industry standards for each.

1) OTP bypass due to lack of authorization – Critical

The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as totally different user. Let’s assume attacker creates/gets hold of a valid dummy account.

Attack path

  1. Use any valid account attacker has access to and complete otp
  2. Proceed with pin submission to totally different victim account
  3. Logs into victim account

Below is attack steps

  1. Attacker uses a valid user account that he has access and starts the login process by submitting phone number.
  2. Attacker completes the OTP validation with account (mobile number) he possesses.
  3. Attacker proceeds to submit the secret pin

Sample screen shot of login call, similar calls can be observed to all above mentioned urls.

2) Secret PIN Bypass/takeover – Critical

The pin setting API/URL lacks any authorization and can be used to reset pin of any user without authentication.

Attack path

  1. Attacker finds the uuid of a user or randomly picks one
  2. Attacker sets the pin via the url
  3. Attacker uses vulnerability #1 mentioned above to gain access to the account

Below is attack steps

  1. Attacker submits the uuid of the user and new pin to the url https://accounts.digitallocker.gov.in/signup/set_pin
  2. Pin gets updated

Sample screenshot of the call. Notice there is no session related information on the POST request so its not bound to any user

3) Poor session mechanism in APIs – High

It was observed that the API calls from mobile were using basic authentication to fetch data or do transactions. All calls from mobile has a header flag is_encrypted: 1 which denotes that the user has to submit the credentials (user_uuid:secret_pin) in basic auth format encrypted with Algorithm: AES/CBC/PKCS5Padding with key We4c4HYS5eagYdshfEP2KY27KwkjaZNH

However it was found that the same api can be accessed with removing the is_encrypted: 1 flag and then submitting the credentials in basic auth format (user_uuid:secret_pin)

Attack path

  1. Use vulnerability #2 to set and takeover pin of any user
  2. Call the api directly as described above to access function or data directly

Sample call from mobile app

Sample call removing the header flag and using unencrypted credentials

Output of Custom script to monitor crypto functions in the mobile app

4) Weak SSL pinning mechanism in mobile app – Medium

The app uses weak ssl pinning it can be bypass easily with tools like Frida and known techniques.

Acknowledgement from CERT-In

Confirmation on fix

Digilocker team Confirmation

Mohesh Mohan
Started my career as a developer of web applications, later I was given an opportunity to purse my dream in information security. So I moved to information security in Ernst and Young. I started as a part of ITRA doing penetration testing for external clients including major banks, insurance and telecom companies across middle east and Africa, Later I moved into global information security team and there I mostly handled critical internal applications and periodic security assessments of all internet facing applications. I love this profession very much as it gives challenges and opportunities to learn something new on a daily basis. Apart from that I love robotics and hardware hacking and currently I am building a 3d printer, a cnc machine and a robotic pet. Whenever possible I find time to attend hacker conferences and among one such occasion I met with Dr. Philip Polstra, professor and renowned speaker at DEFCON 2014 USA. Phil mentioned my name in his book “Hacking and Penetration Testing with Low Power Devices” (ISBN-13: 978-0128007518, ISBN-10: 0128007516), highlighting the work that I have done.