Bestdealss

Better Easy Saving Troops

UMANG portal flaws uncovered person information throughout a whole bunch of providers, researchers discover

UMANG portal flaws uncovered person information throughout a whole bunch of providers, researchers discover


A number of vulnerabilities within the Unified Cell Software for New-age Governance (UMANG), a authorities portal that aggregates a whole bunch of public providers provided by the Union and State Governments, are leaving probably tens of millions of Indians’ information uncovered throughout a wide range of databases, together with these from the Workers’ Provident Fund Organisation (EPFO), in response to two safety researchers who shared their findings with The Hindu

The vulnerabilities, which have possible existed for years, have an effect on a number of providers examined on the UMANG portal, which has onboarded over 2,400 providers. It stems from the structure of the portal itself, stated the researchers, Akshay C.S. and Viral Vaghela. “Virtually all the pieces is damaged by design,” Mr. Vaghela stated.

UMANG was launched 9 years in the past by Prime Minister Narendra Modi on the fifth World Convention on Cyber House, which occurred in Delhi. 

EPFO downtime

The info uncovered consists of Distinctive Account Numbers (UAN) with the EPFO, LPG cylinder reserving particulars with no less than one main oil advertising firm, and Aadhaar numbers throughout a number of providers the place a person’s ID particulars are saved. The Aadhaar numbers had been discovered throughout many providers in plaintext, though such storage is disallowed by the Aadhaar Act, 2016. The Aadhaar module itself inside UMANG was not weak.

The EPFO module is UMANG’s most-used service, recording over 40 crore transactions over the past three months — fifteen occasions greater than Bharat Aadhaar Seeding Enabler, the following largest use case.

The Ministry of Electronics and Info Expertise acknowledged the vulnerabilities in an announcement to The Hindu. “Our improvement and safety groups have fastidiously examined the observations and are implementing the required corrective and preventive measures,” the Ministry stated. “The plaintext data within the involved APIs has been appropriately encrypted.”

The Ministry added that it has “reviewed the API transaction logs for the previous three months” and located that “transaction volumes” had been constant and that it continued to maintain watch on actions on the UMANG portal. 

Additionally learn: PF curiosity to be credited by July 15 to member accounts: Minister

The Hindu is withholding the exact technical particulars of the vulnerabilities, as they continue to be energetic regardless of the above interventions. The encryption the IT Ministry referred to is “flawed and insufficient,” Mr. Akshay stated, including {that a} easy workaround allowed it to be cracked anyway. At The Hindu’s request, the researchers shared their findings with Karan Saini, one other impartial safety researcher, who termed the vulnerabilities “important”.

“Contemplating that charge limiting was applied and the massive number-space of EPFO UANs,” Mr. Saini stated, referring to the steps taken by the positioning to restrict the variety of requests a person could make, “it’s unlikely that the vulnerability might have been exploited to reflect your entire EPFO database.” Nonetheless, he added, it “might probably have been abused by cybercriminals in possession of UAN numbers to siphon funds at scale by permitting for each altering of checking account particulars and initiating payouts, which may be very regarding.”

“The fixes initially applied following the disclosure seem to do nothing to safe the system and as a substitute confuse obscurity with safety, whereas additionally introducing one other vulnerability within the course of,” Mr. Saini stated. (The Hindu can also be withholding details about the extra vulnerability.)

Mr. Akshay and Mr. Vaghela reported each vulnerabilities to the IT Ministry and the Laptop Emergency Response Group, India (CERT-in), which points alerts and helps organisations throughout the nation with fixes for vulnerabilities like these. Shortly after the pair reported the vulnerabilities, the EPFO took down its on-line portal for a “migration”, and a few providers remained unavailable this week. The researchers stated they suspected this was in response to their alerts, which had been additionally despatched to the organisation. The Ministry of Labour and Employment didn’t reply to a request for remark.

“It’s value inspecting whether or not the fixes deployed on the UMANG portal had been concurrently deployed throughout the providers for which UMANG acts as a proxy,” Mr. Saini stated.

Authorities safety

The vulnerabilities spotlight the safety posture of presidency web sites, particularly at a time when India is in search of entry to Anthropic’s Mythos AI mannequin, which has been touted as a solution to safe long-standing vulnerabilities in complicated codebases which have persevered for many years. 

At a report launch on Monday (July 13, 2026), IT Secretary S. Krishnan stated that CERT-in had launched a “battle room” the place it was auditing essential code utilized by the federal government with regionally hosted open-source fashions whose capabilities had been similar to cutting-edge frontier fashions. Mr. Krishnan stated the federal government undertook a “fixed train” in combating cyber vulnerabilities on authorities web sites. 

Entry to Mythos, Mr. Krishnan stated, in response to a broader query concerning the cybersecurity of presidency web sites, can be a chance “to truly establish any of those vulnerabilities now and proper them.”

“Clearly, gaining access to Mythos and related superior fashions may be very excessive on the federal government’s precedence listing, and that is one thing that we now have mentioned with our counterparts within the U.S. and with the respective corporations.”

In CERT-in’s battle room, Mr. Krishnan stated that the federal government was utilizing fashions “which we consider to be about 60–70% as succesful as Mythos” and was “figuring out vulnerabilities and fixing them as we go” in what he described as a “dry run for every time Mythos is accessible”. 

Revealed – July 13, 2026 06:58 pm IST

Leave a Reply

Your email address will not be published. Required fields are marked *