Mar 28, 2018 10:31 AM IST | Source: Moneycontrol.com
The so-called ethical hacker started the revelation as a “game”, with the intention of keeping the government agency UIDAI on its toes.
Moneycontrol News
A Twitter user known as Elliot Alderson, who kicked up a storm across the country when he leaked details of close to 20,000 Aadhaar cards on the internet a few weeks ago, has now claimed that he is "not Indian".
The so called ethical hacker started the revelation as a “game”, with the intention of keeping the government agency UIDAI on its toes. But he did not just stop there.
Alderson, as he is known on Twitter, has now jumped in the midst of a recent data theft scandal by “exposing” loopholes in mobile applications of political parties, including the Bharatiya Janata Party (BJP) and the Congress.
Here's a look at who Elliot Alderson really is and why he is in the news.
Elliot Alderson is not Indian
Who is Elliot Alderson?
Elliot Alderson is the Twitter username of a French security researcher Baptiste Robert, who is a network and telecommunications engineer by profession, according to a report by NewsBytes.
The 28-year-old cybersecurity expert is said to be a one-man army, with no team assisting him.
How Alderson started the Aadhaar fiasco
On March 10, the French researcher posted on his handle that he intended to play a game that night. The game was about how many Aadhaar cards he could find in a span of three hours.
I will play a game tonight: How many #Aadhaar card I can found in 3 hours?
Note: All the cards must be available publicly
Note: All the cards must be available publicly
The game ended after Alderson had posted details of 20,142 Aadhaar cards online.
This was followed by another low blow when on March 13, Alderson posted a walkthrough to bypass the password protection feature in the official Aadhaar Android application in less than a minute.
He iterated that it was the newest version of the app, and that the attacker need not even have a rooted phone to mount the attack.
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai
Shift to data security loopholes in mobile apps of BJP and Congress
On March 23, Alderson posted: “I checked the NaMo app and this is not good”. He followed by saying that PM Narendra Modi’s NaMo app shares personal data of users with third parties.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called
.
The researcher did not limit himself to just the NaMo app and moved to Congress’ mobile app next. “Of course, I will check the With INC #android app too” read another of his tweets. At the end of the exercise, he shared the loopholes he found on the internet.
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to
.
Does Alderson want to make money out the whole endeavour?
It doesn't seem that way. In one of his tweets, Alderson posted the screenshot of an e-mail seeking to purchase the details of the Aadhaar cards from him, and wrote “No need to send me this kind of mail. The answer is a big NO” along with it.
In another tweet, he reiterated that he was neither against, nor in favour of Aadhaar and thinks that a project of this size deserves maximum security.
No need to send me this kind of mail. The answer is a big NO
So, why is he doing what he is doing?
From the series of tweets, it seems that the researcher wants to help the organizations in fixing the vulnerability of the data security system.
His tweet reads: “If it is really a reaction to my tweets, this is really a bad signal. Instead of making disinformation @UIDAI, please discuss with me. Your threats are useless and I will continue my work. So please stop denying and let’s fix things together.”
But why does he want to help? Is it to gain fame? Possible. But nothing can be said clearly unless the man himself clarifies.