PM Kisan leaked Aadhaar numbers of more than 110 million farmers

PM Kisan website provides a dashboard feature to view various charts and data. An endpoint in the dashboard was leaking Aadhaar numbers of all the farmers based on region (state, district, village).

Pradhan Mantri Kisan Samman Nidhi is an initiative by the government of India in which all farmers will get up to ₹6,000 per year as minimum income support.

An attacker could have easily gathered all the data by writing a basic script.

Impact

According to the PM Kisan website and recent reports, more than 11 crore farmers are registered on the platform. So a leak could have affected more than 110 million farmers.

Summary

• Due to lack of authorization, an endpoint in the PM Kisan website leaked Aadhaar numbers.
• The issue was responsibly reported to CERT-In
• PM Kissan has now taken down the vulnerable endpoint.
• The number of affected farmers is more than 11 crore.

Timeline

Jan 29, 2022: Reported to CERT-In

Jan 31, 2022: CERT-In replied with the reference number and forwarded the report to the concerned authorities

Feb 26, 2022: CERT-In mentioned fixing of vulnerability is still not confirmed by the concerned entity and they have already escalated this matter for appropriate action with the concerned authority.

May 28, 2022: Sent a mail to CERT-In confirming that the issue has been fixed.

May 30, 2022: CERT-In thanked for the report.