Security researchers said that data from about 72.6 lakh users of mobile payment app BHIM was revealed by a website. The report by the VPN review website vpnMentor stated that the data revealed contained many sensitive information such as name, date of birth, age, gender, home address, caste status and Aadhaar card details etc.
In a blog post on Sunday, security researchers at vpnMentor wrote, “The scale of the data exposed is extraordinary. It can affect millions of people across India. Taking advantage of this, hackers and cybercriminals also address fraud, theft, and attacks.
However, this flaw was overcome when the researchers contacted the Computer Emergency Response Team (CERT-In) of India and informed them twice in a month. After which the violation was closed last month. The BHIM website has been developed by a company called CSC e-Governance Services Limited in partnership with the Government of India.
The researchers said, “In this case, the BHIM data was stored in an unprotected Amazon Web Services (AWS) S3 bucket. The researchers said that the S3 bucket is a popular form of cloud storage worldwide, but to establish security protocols Developers require their account.
He said that “We reached out to the website developers to inform them of the misconfiguration in their S3 buckets and provide their assistance. After not getting a reply, we contacted the Computer Emergency Response Team (CERT-In) of India, the country. In cyber security, “
How BHIM Data is Compromised?
Research led by vpnMentor’s Noam Rotem and Ran Lokar revealed that CSC set up the wrong S3 bucket-linked website to promote BHIM use across the country, and new merchant businesses, such as mechanics, farmers, service providers and Signed up store owners on the app. The exposed data, which was first discovered by security researchers on 23 April, had a volume of 409GB.
The report stated, “It is difficult to say precisely, but the S3 bucket had records from a short period (February 2019). However, within such a short time, more than 70 lakh records were uploaded and exposed.”