A French security researcher has claimed that he received a message stating that due to a lack of authentication in the local dealers portal, Indane, an LPG brand owned by the Indian Oil Corporation (IOC) is leaking names, addresses and Aadhaar numbers of more than 67 lakh customers.

Share Market Live

NSE

Baptiste Robert, who goes by the online handle Elliot Alderson and has exposed Aadhaar leaks in the past, in his blog post said, "Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers."

The leak was uncovered after Alderson received a private message on Twitter. After exchanging a few messages, Alderson said that the sender sent him a URL (uniform resource locator) so to say, the link of the website.

Using a custom-built script to scrape the database, Alderson found customer data for nearly 11,000 dealers, including names and addresses of customers, before his IP was blocked by Indane.

The French researchers found 5.8 million Indane customer records before his script was blocked.

Here's how Alderson unearthed the data leak

After opening the link, linked to the “Consumer No”, Alderson found that it contains a parameter called “aadhar_no”.

Along with this, there is the 'Consumer Name', the 'Consumer Address' and on the bottom right, there is 'Total Records'. In the URL, Alderson found that there is a parameter called 'dealerID', which if the value of the dealerID parameter is modified, one can access the consumer information of another dealer.

To get how many distributors there are of Indane, Albertson first checked out Wikipedia which said there are around 90 million Indian families that are getting their cylinders through a network of 9,100 distributors.

Alderson confirmed this finding by verifying it on Indane's mobile app. On the app, by using the 'Locate Your Distributor' feature, Albertson began the coding.

The server sends the dealer identifications of the corresponding 'bgadistrict', and found there are 714 bgadistrict of such.

"Thanks to the endpoint found in the Android app, we will obtain all the valid dealer ids and then we will scrape all the “Total records” in the local dealer portal," Albertson wrote.

"I wrote the python script. By running this script, it gives us 11062 valid dealer ids. After more than one day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak," he wrote.

"Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1,572 dealers. By doing some basic math we can estimate the final number of affected customers around 67,91,200," he wrote.

Indane and the Unique Identification Authority of India (UIDAI) were yet to comment on this data leak.

First Published:Feb 19, 2019 4:39 PM IST