Security lapse in UMANG portal; could Aadhaar data be leaked? Here is the government's response..
After major flaws were discovered in the CBSE re-examination portal, two researchers—Akshay CS and Viral Vaghela—have now identified vulnerabilities in India's UMANG portal. These flaws could potentially expose sensitive data belonging to millions of Indians, including Aadhaar numbers and EPFO UAN details. The researchers told *The Hindu* that these vulnerabilities have likely existed for years and affect multiple services on the UMANG portal. The report quotes Vaghela as saying, "Almost everything is broken by design." The government has also issued a response regarding this matter, which you should be aware of.
**Government's Response**
The Ministry of Electronics and Information Technology acknowledged these flaws in a statement to *The Hindu*. The Ministry stated, "Our development and security teams have carefully examined the observations and are implementing necessary fixes and safeguards. Plaintext information in the relevant APIs has now been properly encrypted." The Ministry further added that it reviewed API transaction logs from the past three months and found transaction volumes to be consistent; monitoring of portal activity is ongoing.
**Flaws in the UMANG Portal**
Specific technical details of the vulnerabilities have not been disclosed for security reasons, as reports suggest the flaws may still be active on the UMANG portal. According to the report, these vulnerabilities could have allowed cybercriminals possessing UAN numbers to withdraw funds on a large scale, as the flaws granted access to both modify bank account details and initiate payments.
Upon discovering the flaws in the UMANG portal, the researchers informed the IT Ministry and the Computer Emergency Response Team, India (CERT-In). CERT-In issues alerts and assists organizations in responding to cybersecurity vulnerabilities. Immediately following the disclosure of these flaws, the EPFO shut down its online portal for migration, and certain services remained unavailable for the week. Researchers suspect that this move was linked to the alerts they had sent to the organization.
The researchers claim that Aadhaar numbers were visible in plain text across various services where user identities are stored—a practice not permitted under the Aadhaar Act, 2016. However, according to the report, the Aadhaar module within UMANG itself was not vulnerable. The report states that the exposed data could include EPFO Unique Account Numbers and LPG cylinder booking details associated with at least one major oil marketing company. The Employees' Provident Fund Organisation (EPFO) module is the portal's most frequently used service, having recorded over 400 million transactions in the last three months.
Disclaimer: This content has been sourced and edited from TV9. While we have made modifications for clarity and presentation, the original content belongs to its respective authors and website. We do not claim ownership of the content.

