A security vulnerability in the Indian Post Office portal has exposed sensitive Know Your Customer (KYC) data of thousands of users through an Insecure Direct Object Reference (IDOR) attack vector. The flaw was identified in the portal’s URL structure, allowing unauthorized access to confidential customer information. The incident comes just months after India Post’s implementation of an Aadhaar-based eKYC system for its savings accounts, highlighting the ongoing challenges in securing digital identity infrastructure.
Cyber Security Analyst Gokuleswaran discovered that the vulnerability enabled access to private KYC records through manipulation of the document_id parameter in API requests. The exposed data included Aadhaar numbers, PAN details, usernames, and mobile numbers of postal service customers. The breach is particularly concerning given India’s recent expansion of Aadhaar authentication services to more sectors, increasing the potential impact of such security lapses.
The security incident presents multiple risks, including potential identity theft through unauthorized use of Aadhaar and PAN information, targeted phishing attacks using leaked contact details, and possible regulatory compliance issues regarding Indian data protection regulations. The exposure is especially significant as India prepares to launch an enhanced Central KYC Registry with AI features in 2025, aimed at strengthening the country’s identity verification infrastructure.
CERT-In has acknowledged the vulnerability and issued technical guidance to address IDOR-related security concerns. The agency’s recommendations include implementing secure tokens in place of direct URL references and conducting regular security assessments. The advisory follows CERT-In’s recent pattern of heightened security alerts, including warnings about critical Android vulnerabilities affecting mobile security.
To prevent similar incidents, security experts recommend implementing several technical controls, including strict server-side authorization verification, replacement of direct identifiers with randomized tokens, thorough parameter validation, regular penetration testing, and enhanced user activity monitoring. These recommendations support India’s broader efforts to strengthen its digital identity ecosystem, including recent mandates for biometric authentication in GST registration.
The incident occurs amid India’s ongoing digital transformation of government services, highlighting the technical challenges of securing digital infrastructure while maintaining public service accessibility. The balance becomes increasingly critical as India continues to expand its digital identity services, with the country’s systems serving as a model for other nations, as evidenced by Sri Lanka’s recent adoption of India’s DigiLocker system.
Sources: Cybersecurity News, Compliance Hub, MediaNama
Follow Us