Skip to main content

ITmatterss

UMANG Portal Flaw May Have Exposed Aadhaar-Linked Data: Report

Vertical Share Bar
UMANG Portal Flaw May Have Exposed Aadhaar-Linked Data: Report

Key Highlights

  • Researchers reported vulnerabilities in the UMANG portal that may have exposed Aadhaar-linked information and EPFO details.
  • The flaws reportedly affected multiple government services integrated into the UMANG platform.
  • The government says corrective measures have been implemented and sensitive API data has now been encrypted.
  • The researchers, however, argue that the new encryption remains insufficient and needs stronger protection.

Security researchers have disclosed vulnerabilities in India’s UMANG portal that may have exposed Aadhaar-linked information, EPFO account details, LPG booking records, and other sensitive data. The Ministry of Electronics and Information Technology (MeitY) has acknowledged the findings and says it has started implementing security fixes, although researchers claim some concerns remain unresolved.

The report has renewed focus on cybersecurity across India’s digital public infrastructure, particularly platforms that connect millions of citizens with government services.

What Is the Reported UMANG Portal Flaw?

According to researchers Akshay CS and Viral Vaghela, several services available through the UMANG portal exposed sensitive user information through insecure application programming interfaces (APIs). The researchers claim some Aadhaar numbers were visible in plaintext across multiple integrated services, despite regulations that restrict such storage under the Aadhaar Act, 2016.

They clarified that the Aadhaar module itself was not vulnerable. Instead, the reported issues involved various government services connected to the UMANG platform.

UMANG serves as a single gateway for more than 2,400 services offered by central and state government departments, including pension services, healthcare, certificates, and Employees’ Provident Fund Organisation (EPFO) services.

Which Data Could Have Been at Risk?

The researchers said the vulnerabilities could have exposed information such as Aadhaar-linked identifiers, EPFO Universal Account Numbers (UAN), and LPG booking details associated with at least one major oil marketing company.

One of the biggest concerns relates to the EPFO service, which is among the most frequently used modules on UMANG. According to the report, the researchers warned that attackers with access to UAN details could potentially manipulate bank account information and initiate fraudulent payouts if the flaws were exploited.

However, the researchers have not publicly released technical details of the vulnerabilities because they believe some issues may still be active. At this stage, there is no public evidence that the vulnerabilities were exploited to steal user data.

How Has the Government Responded?

The vulnerabilities were reportedly disclosed to MeitY and the Indian Computer Emergency Response Team (CERT-In), which coordinates responses to cybersecurity incidents.

In its response, the ministry said its development and security teams had examined the findings and were implementing corrective and preventive measures. It also stated that plaintext information exposed through affected APIs has now been encrypted.

Additionally, MeitY said it reviewed API transaction logs covering the previous three months and found no unusual transaction activity. The ministry added that monitoring of the platform is continuing.

The researchers, however, argue that the encryption method adopted is inadequate and could be bypassed using relatively simple techniques.

Why Does This Matter?

The incident highlights the growing cybersecurity challenges facing large digital government platforms. As services become increasingly interconnected, a vulnerability in one component can potentially affect multiple systems and millions of users.

The report also comes as India strengthens its cybersecurity capabilities. IT Secretary S. Krishnan recently confirmed that CERT-In has established a dedicated “war room” to audit critical government code using locally hosted open-source AI models. The government is also exploring access to more advanced AI systems to improve vulnerability detection and cyber defense.

While the investigation continues, the UMANG portal case underscores the need for regular security audits, secure API practices, and rapid disclosure processes to protect sensitive citizen data.

13

Leave a Reply

Your email address will not be published. Required fields are marked *

logo

Get the latest news instantly

You can change your preferences anytime.