Skip to main content

Aadhaar & PAN Info LEAK !!

 Hey hi everyone, myself (virus_boss/Nomaan khan aka viruszhunter), back with another interesting topic. In this blog I’ll be talking about how I found many websites that are leaking their clients identification details, like Aadhaar card, PAN card, Bank details and many more…

more…

Recently I was scanning various websites for my research purpose, and interestingly I found out that most of the websites are having a specific type of vulnerability, i.e. directory listing .

Now let me tell you all briefly about this ‘directory listing’ vulnerability:

Web servers can be configured to automatically list the contents of directories that do not have an index page present. This can aid an attacker by enabling them to quickly identify the resources at a given path, and proceed directly to analyzing and attacking those resources. It particularly increases the exposure of sensitive files within the directory that are not intended to be accessible to users, such as temporary files and crash dumps.

So basically what so ever the content is uploaded to the website can be accessed by any third party group.

What did I found?

I found out a website lets say something.com falls under the category of Advertisement / Business Support website is leaking the information of their customer from past few years and more than 50K user details are leaked, which includes their Aadhaar card, PAN card, their Photo, their Signature, their BANK details and more.

Not only advertisement sites or business support sites are leaking data but also many NGOs, School websites and even some cloud storage platforms are leaking data about their clients.

What was my next step?

I immediately reported the site to NCIIPC with proper proof.
NCIIPC runs Responsible Vulnerability Disclosure Program (RVDP) for reporting any Vulnerability in Critical Information Infrastructures that may cause unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction of the same.

How to solve this vulnerability?

There is not usually any good reason to provide directory listings, and disabling them may place additional hurdles in the path of an attacker. This can normally be achieved in two ways:

  • Configure your web server to prevent directory listings for all paths beneath the web root;
  • Place into each directory a default file (such as index.htm) that the web server will display instead of returning a directory listing.

What should you all do?

  • First and foremost you all should be aware about anything you do online, let it be using Facebook, Instagram, Twitter, Google or anything.
  • Do NOT share each and every information about you on your Social Media Sites.
  • If you are applying for jobs or filling any kind of form online make sure the website has a good review or at least has “https://” as prefix of your web address / link.
  • Try to avoid uploading your personal identification numbers unless its really necessary.
  • DISCLAIM I T IS ONLY MADE FOR EDUCATION PURPOSE AUTHOR VIRUS AI CHAT BOT

Screenshots:

Aadhaar Info Leaked
PAN Info & Photos leaked
School Website’s Leaked data

Try to be SAFE ONLINE ❤ ,Because noting is faster than INTERNET LEAKS!!!

 

Comments

Post a Comment