Late Saturday night, security researcher Abhay Rana published a post detailing an XSS vulnerability on the UIDAI portal at resident.uidai.gov.in that allowed anyone to embed content on the website, so that when the appropriate url was accessed, UIDAI would appear to host that content.
The vulnerability was a result of UIDAI running its portal on legacy code (LifeRay 6.1 Community Edition reached End Of Life on 12th December 2013) that was no longer supported. In fact, the code was so old (released over five years ago) that the vulnerabilities in it too were no longer listed under known vulnerabilities and were archived.
It was when Aadhaar critics, angry over UIDAI’s continued pattern of inaction over vulnerabilities shared links demonstrating how content critical of Aadhaar could seem to be hosted on the UIDAI website, that the UIDAI finally took action. No, the action was not to upgrade to current edition, it was to block the url fragments that were allowing the humiliation. UIDAI’s determination to maintain vulnerabilities remains constant.
Here are some screenshots of content viewed on the UIDAI website during this time.
Some questions for the UIDAI
- What the hell is wrong with you people? Why are you not using updated software for such an important website?
- When the UIDAI spends crores on covering up vulnerabilities, why not spend a few thousand to use provider maintained software?
- Who is responsible for the security of the UIDAI server? Give exact name.