Absence of HTTPS from URL helped Aadhaar hacker

BENGALURU: Explaining the short cuts he used, Abhinav Srivastava, prime accused in the Aadhaar data theft case, disclosed his modus operandi to cybercrime sleuths on Saturday.

Srivastava, 31, an MSc graduate from IIT-Kharagpur, was recently arrested for allegedly hacking into e-hospital server hosted by the National Informatics Centre (NIC), a KYC user agency (KUA) which has tied up with the Unique Identification Authority of India (UIDAI) for Aadhaar authentication services. He allegedly hosted the Aadhaar e-KYC app on Google Playstore. Anyone clicking on it could gain access to Aadhaar data available on the server,

Sources said Srivastava was asked to explain how he hacked into the government website to access Aadhaar data, and stunned investigators during the six-hour demonstration, which was videographed by cybercrime cops. He said the absence of Hypertext Transfer Protocol Secure (HTTPS) from the URL helped him hack into the e-hospital website. Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP (Hypertext Transfer Protocol),” a source said, adding, “All communications between the browser and the website were not encrypted.

HTTPS

is often used to protect highly confidential online transactions like banking and shopping order forms.”

Srivastava explained the short cuts used to hack into websites. However, he reiterated that he had no criminal intention. “I developed the app giving out E-KYC details, thinking it would help the common man access Aadhaar information. I had no other intention,” police said quoting the accused.

Senior officials told Srivastava hacking into the server itself was a criminal act. “He’s trying to convince us that he is not a hardcore criminal but that can only be decided after the investigation is over,” a Central Crime Branch (CCB) sleuth said.

Laptops, hard disks sent to FSL

CCB police sent the four laptops and one hard disk they seized from Srivastava’s residence to the forensic science laboratory. “We need to carefully examine the gadgets as they contain all the information of his activities,” a CCB cop said.

Co-founder of Qarth Technologies and employed with cab aggregator Ola as a software development engineer, Srivastava was arrested on Tuesday for allegedly hacking into and accessing the UIDAI server. The arrest was made after UIDAI officials filed a police complaint. Preliminary investigation has revealed that he helped internet users download demographic data — address, mobile number, email id, age and sex — of at least 40,000 Aadhaar cardholders.