Employee’s Provident Fund organisation, India website found INSECURE

Pierluigi Paganini December 08, 2016

Security firm’ Eioneus Systems’ claims to have found a serious security flaw in Universal Account Number(UAN) website (India).

In a recent incident an information security firm’ Eioneus Systems’ claims to have found a serious security flaw in Universal Account Number(UAN) website (India) which could have led to the theft of millions of user’s data. Eioneus Systems is an information Security firm based out of Pune. According to the official at Eioneus Systems Snehil Khare, the issue was reported immediately to CERT-IN, NIC, and other government sources which were felt necessary  at the time.

Employee’s Provident Fund

As per reports the issue was critical and gave access to country’s entire Provident Fund database. Moreover, it stated that vulnerability could be exploited to gain complete access to the machine leading to full compromise. Well, the tech firm demonstrated an excellent behavior in doing a responsible vulnerability disclosure.

Due to the sensitive nature of the incident, complete details of the vulnerability was not shared but it came to light that the bug gave access to information such as Provident fund balance, Individual’s KYC details, phone numbers, PAN numbers, bank details ;etc of every provident fund user in the country. The tech firm has shared few screenshots to support their claims of accessing the massive database.

Employee’s Provident Fund

Employee’s Provident Fund

In a chat with Security Affairs, Snehil Khare clarified his intentions further stating “Our motive is to do a responsible vulnerability disclosure and not to abuse the information which was accessed. Our intention was to draw the attention of authorities towards major security concern identified, without ignoring it.”

According to Eioneus systems , the issue came to their knowledge on 3rd Dec 2016 while browsing the website for usual UAN related features that website offers. The issue was reported immediately to CERT-IN (Computer emergency response team) and was acknowledged by CERT-IN in no time.

Employee’s Provident Fund Employee’s Provident Fund

About the Author Avantika Tripathi 

Marketing Head at Eioneus Systems

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Employee’s Provident Fund, hacking)



you might also like

leave a comment