There's some serious worrying news for millions of employed people in the country. Serious security flaws have been found in the Umang portal, which integrates hundreds of central and state government services, putting employees' hard-earned money and personal data at risk. Following the revelations by two security researchers, the Employees' Provident Fund Organisation (EPFO) has shut down some services on its online portal, citing migration.
The EPFO module is the most used service on the Umang app, recording over 400 million transactions in the last three months. This technical flaw has raised serious questions about the security and privacy of ordinary employees who have chosen a fully digital option for their pension and PF.
Researchers Akshay C.S. and Viral Vaghela explained that the flaws likely existed for several years and impacted many of the services tested on the Umang portal, which currently offers over 2,400 services. They said the root of the problem lies in the portal's infrastructure. According to Vaghela, the flaw is actually in its design. The exposed data includes the EPFO's Universal Account Number (UNA), LPG cylinder booking details from at least one major oil marketing company, and Aadhaar numbers stored on several services that store user identity information. On many services, Aadhaar numbers were found in plaintext without any security coding, which is prohibited under the Aadhaar Act, 2016.
Ministry acknowledges vulnerabilities
The Ministry of Electronics and Information Technology has acknowledged these security vulnerabilities. According to the ministry, API transaction logs from the last three months have been reviewed. The report claims that despite the government's measures, these vulnerabilities still exist. They can still be avoided using a simple workaround. Akshay and Vaghela reported both vulnerabilities to the Ministry of Information Technology and the Computer Emergency Response Team, India, which issues advisories and workarounds to organizations across the country regarding such security vulnerabilities.
According to the report, if a cyber-fraudster already has your UNA number, they can exploit this vulnerability. They can hack the portal, change your bank account number, and transfer (payout) your PF amount to their own account.
Still hiding information
The initial security measures taken by the government after the flaw was discovered failed to secure the system. Instead of fixing the problem, they simply tried to hide it, which instead of strengthening the security, created a new technical flaw.
PC: Navarashtra
-
Manchester United reportedly reach agreement to sign Roma midfielder Manu Kone for £45m, with Ederson possibly influencing the move

-
US: Indian Muslim man stabbed in Utah over his religion

-
Aurum PropTech To Acquire Housing.com For ₹458 Cr

-
E20 Petrol Engine Damage Case: Raipur Consumer Court Orders Carmaker to Give New Car or Refund Rs.20 Lakh

-
E20 fuel row: FIR against content creators for 'defamatory posts' about Nitin Gadkari
