SUMMARY
In The Demo, Abhinav Srivastava Claims To Use Lack Of HTTPS In The Aadhaar Website URL For The Hack
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
The Aadhaar data theft case by Ola employee and co-founder of Qarth Technologies, Abhinav Srivastava has taken yet another turn. As per recent reports, Srivastava gave a six-hour step-by-step demo to sleuths of how he managed to hack into the Aadhaar website.
Qarth Technologies co-founder Abhinav Srivastava was arrested by Bengaluru’s Central Crime Branch on charges of Aadhaar data theft last week. According to the complaint, Srivastava illegally accessed UIDAI data through an “Aadhaar e-KYC verification” mobile app that he developed himself.
In his demonstration, Abhinav Srivastava said that he took advantage of the lack of Hypertext Transfer Protocol Secure (HTTPS) in the URL of the Aadhaar website. A recent report claims that Abhinav used shortcuts to access data from various websites that used Aadhaar data.
Aadhaar Data Theft: Allegations Against Abhinav Srivastava
Founded in 2012 by Abhinav Srivastava and Prerit Srivastava, Qarth’s chief product was a mobile payments app called X-Pay, which is a multi-bank IMPS mobile payment application. Chennai-based Qarth was acquired by cab aggregator Ola in March 2016, in a bid to bolster Ola’s mobile wallet service, Ola Money.
At the time of the arrest, Ola denied any involvement in the Aadhaar data theft. An Ola spokesperson stated, “Ola has neither commissioned nor is involved in any such activity.”
Qarth is a subsidiary of Ola. Qarth workers were accused of developing an app and accessing details on the Aadhaar website without authentication and provided the same as e-KYC details. Abhinav is accused of accessing Aadhaar-related information, housed by the NIC server, illegally to the miscreants. He had accessed the Aadhaar data through an e-hospital website.
Preliminary inquiries reveal that Srivastava developed a mobile app that provided “Aadhaar e-KYC verification” by accessing data hosted on the National Informatics Centre (NIC) server. He reportedly earned $628 (INR 40,000) from ads displayed on the app which, in turn, was downloaded by over 50,000 people.
Abhinav was arrested on August 1 2017, five days after the Unique Identification Authority of India (UIDAI) first lodged an FIR against him and Qarth Technologies with the Bengaluru police.
However, earlier on Friday, the Unique Identification Authority of India (UIDAI) had claimed that there was no breach of any Aadhaar data. Apart from this, it had assured that there is no compromise of Aadhaar user’s privacy and security through the app developed by Abhinav Srivastava.
At that time, Ajay Bhushan Pandey, CEO of UIDAI said “No one could get data of any other person through this app. Even though residents were downloading their own demographic data such as name, address etc., yet legal actions were initiated against the owner of the app since it was not authorised to provide such services to people and such acts are criminal offence punishable action as per Aadhaar Act, 2016. It is further reiterated that data of not even a single non-consenting resident has been given by UIDAI through this app.”
The UIDAI has not come forward with another statement after the reports of Abhinav Srivastava giving a hacking demo to sleuths surfaced. Ola, on the other hand, also did not comment on the queries sent about the employment status of Srivastava and the status of operations of its subsidiary Qarth.
(The development was reported by Times Now)
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.