Hyderabad: Researchers had long discovered that the resident database of UIDAI is vulnerable and have been asking UIDAI to fix it. In fact, repeated requests to fix it over the past few years have gone unheeded. UIDAI resident portal resident.uidai.gov.in with read access to the entire aadhaar demographic data is running on an older version of the Liferay software. Researchers are now uploading comics and tweets on the website.
According to Mr. Rana, “UIDAI is running an older version of the software Liferay. The support for the version ended almost 4 years back. As part of showing proof of the vulnerabilities in using old software, we uploaded comics. This was also to get the attention of UIDAI. There is a basket of vulnerabilities with the outdated software and this is just one of them.”
Despite Cybersecurity experts suggesting that the software should be updated, UIDAI has not done it. Mr Rana reported the issue in January 2017 and followed up on it in January 2018. “The only change that I’m aware of since my initial report is that the website stopped declaring the Liferay version. Since they have not updated it for almost four years, now it would be a tedious task to update the software.”
Mr Kingsley John who was also following up on the issue said, “UIDAI knows about what I have been trying to report since January 2017 and has not done anything to fix it. It is using Liferay Portal 6.1.1 CE. Liferay Portal 6.1.1 CE was released on February 26, 2013. Support for 6.1.x CE ended the day 6.2 CE hit ground, which happened on December 12, 2013.”
There was also a release of 6.1.2 CE on December 12, 2013 which UIDAI has not bothered to update. If they have made a lot of customised changes, then they’ll have to update them to be in sync with all the changes made to Liferay Portal over the last 5 years.
How long their portal will be down depends on how much customisation they had made.”
Mr Rana contacted UIDAI and NCIIPC at least ten times over the past six months. Not only him, other users also noticed the vulnerability and raised concerns. Because of this issue, any tweet can be embedded into the Aadhaar portal.
