Blogs -

Read The Blogs from

without authenticate access digilocker

10 November, 2020 - By

The Indian Government has acknowledged that the secure document wallet service ĎDigilockerí could have allowed hackers to bypass mobile OTP and sign in as other users without requiring passwords. This could have allowed easy unauthorized access to sensitive documents uploaded by Indians on the Government-operated platform.

For those who are unaware, DigiLocker is a Government-operated document wallet that saves your sensitive documents/certificates like driving license, vehicle registration, academic mark sheet, etc., on the cloud.

The critical vulnerability in DigiLocker was reported separately by two independent bug bounty researchers, Mohesh Mohan and Ashish Gahlot.

The flaw essentially allowed malicious actors with some technical knowhow to easily bypass the 2FA required to log into the application.

The login process could be manipulated with the help of basic user information from Aadhar Card and by intercepting and changing the parameters of the appís connection to the server.

This means that unauthorized users could log in, create a new pin, and get unrestricted access to sensitive personal data stored on DigiLockerís cloud server without even entering a password.

The vulnerability in DigiLocker was identified and reported last month and was partially fixed within a couple of days. But the OTP bypass issue was fixed yesterday only. So far, there are no reports of unauthorized access or misuse of user data.

Write Your Comments

Please write here your valuable comments or review:


mobile application of the


Looking for the Best Service Provider? Get the App!

  • Find nearby listings
  • Easy service enquiry
  • Listing reviews and ratings
  • Manage your listing, enquiry and reviews
We'll send you a link, open it on your phone to download the app
android app of the iOS app of the

copyrights © 2022   All rights reserved.