Late Saturday night, security researcher Abhay Rana published a post detailing an XSS vulnerability on the UIDAI portal at resident.uidai.gov.in that allowed anyone to embed content on the website, so that when the appropriate url was accessed, UIDAI would appear to host that content.
The vulnerability was a result of UIDAI running its portal on legacy code (LifeRay 6.1 Community Edition reached End Of Life on 12th December 2013) that was no longer supported. In fact, the code was so old (released over five years ago) that the vulnerabilities in it too were no longer listed under known vulnerabilities and were archived.
It was when Aadhaar critics, angry over UIDAI’s continued pattern of inaction over vulnerabilities shared links demonstrating how content critical of Aadhaar could seem to be hosted on the UIDAI website, that the UIDAI finally took action. No, the action was not to upgrade to current edition, it was to block the url fragments that were allowing the humiliation. UIDAI’s determination to maintain vulnerabilities remains constant.
Here are some screenshots of content viewed on the UIDAI website during this time.