A security researcher says a bug on an Indian state government website inadvertently revealed documents containing residents’ Aadhaar numbers, identity cards and copies of their fingerprints.
The bug was fixed last week after the security researcher disclosed the bug to local authorities.
Sourajeet Majumder found the bug in the West Bengal government’s e-District web portal that allows state residents to access government services online, like obtaining birth and death certificates and building applications. Majumder said the website bug meant it was possible to obtain land deeds, which contain records about the owners of a piece of land, from the e-District website by guessing sequential deed application numbers.
Application identification numbers are unique 16-digit numbers issued by the state government when a local resident applies for a digital copy of a deed.
Not every application identification number was valid. Using publicly available tools like Burp Suite to analyze the network traffic in and out of the website meant that Majumder could cycle through entire lists of sequential application numbers and use the responses from the server to determine if an application identification number was valid.
With access to an application identification number, anyone with a login to the e-District system could access a copy of a land deed. Two land deed records seen by TechCrunch contain the names of the individuals involved with the deed, their photographs and their full set of fingerprints from both hands. It’s not uncommon to see multiple individuals on a single deed.
The deeds also contain the individuals’ government-issued identity documents, including their confidential Aadhaar numbers, which every citizen is assigned as part of India’s national identity and biometric database. Aadhaar numbers are required for accessing banking, cell phone plans and many government services.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Majumder reported the website vulnerability to India’s computer emergency response team, known as CERT-In, and the West Bengal government, fearing that the vulnerability could be misused for identity fraud. The bug was fixed soon after.
It’s not known if anyone else other than Majumder discovered the bug. Representatives for the West Bengal government and CERT-In did not return requests for comment. The West Bengal government’s e-District website says it has processed more than 17 million applications to date, though it’s not known how many relate to land deeds.
Local media reports a recent rise in fraud linked to the alleged theft of biometric information, which criminals are said to be using to empty bank accounts.
Indian state government website exposed COVID-19 lab test results
