A security researcher has discovered a critical bug in the e-District portal operated by the West Bengal government, exposing sensitive personal data, including biometric information and Aadhaar numbers, of millions of state residents. The flaw was patched last week following its disclosure.
Sourajeet Majumder, the researcher who unearthed the vulnerability, reported that he could access digital copies of land deeds using sequential application identification numbers—a unique 16-digit code assigned to each deed application. “It’s like leaving your house door wide open; anyone who knows the trick can walk in,” said Majumder.
These land deeds contained vital information such as names, photographs, and fingerprints of the landowners. In some instances, multiple individuals were listed on a single deed. Majumder alerted India’s Computer Emergency Response Team (CERT-In) and the West Bengal government about the issue, fearing the data could be misused for identity theft and fraud.
Aadhaar numbers, which are a cornerstone of India’s national identity and biometric database, were also exposed through this flaw. These numbers are essential for availing services like banking and cell phone plans.
Majumder utilized publicly available tools like Burp Suite to analyze the website’s network traffic. “I cycled through entire lists of sequential application numbers and used server responses to validate them,” he elaborated. Once a valid application identification number was found, anyone with a login could access the respective land deed.
The West Bengal e-District portal has reportedly processed over 17 million applications, although it remains unclear how many of those were related to land deeds. This discovery comes amid a reported rise in biometric data-based fraud, further fueling the ongoing debate around Aadhaar data security in India.
Representatives for the West Bengal government and CERT-In did not respond to requests for comment at the time of reporting.
The incident underscores the importance of stringent cybersecurity measures to safeguard sensitive personal data, as concerns grow over identity theft and biometric fraud in India.