Page 1 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
By Email
To,
Public Grievance Officer,
National Informatics Centre, MeitY,
A-Block, Lodhi Road, CGO Complex
New Delhi-110003
Email: s3waas.support@gov.in
Dated: March 17, 2022 IFF/2022/018
Dear sir/ma’am,
Re: Potential vulnerabilities on the S3WaaS Portal leading to data leak of
several Indian citizens
1. Internet Freedom Foundation (“IFF”) is a registered charitable trust which advocates for
people’s rights over the internet across public institutions and the private sector. IFF’s
origins stem from the SaveTheInternet.in public movement which enabled more than a
million Indians to advocate that net neutrality be recognised as a core tenet of the public
internet. We work across a wide spectrum of issues, with expertise in free speech,
electronic surveillance, data protection, net neutrality and innovation; we champion
privacy protections, digital security, and individual freedoms in the digital age.
2. We are writing to you to bring to your attention a potential vulnerability in the ‘Secure,
Scalable and Sugamya Website as a Service’ (S3WaaS) Website of the Government of
India. The consequence of this vulnerability was a data leakage which has compromised
health data of several individuals of Indian nationality. The vulnerability was disclosed to
us by an independent security researcher, Sourajeet Majumder. We brought it to the
attention of the National Nodal Agency for Critical Information Infrastructure Protection
(NCIIPC) under its Responsible Vulnerability Disclosure Program (RVDP).
3. We would like to commend the actions taken so far in an attempt to tackle/ resolve the
vulnerability. However, it would appear that the extent of the breach is larger than
originally anticipated, with the data being leaked going beyond personally identifiable
information (PII) of Covid-19 vaccine beneficiaries. Several documents have again been
indexed on search engines and are available publicly. The bucket mis-configuration
vulnerability on the website allows access to several confidential documents, some of
which contain confidential, sensitive and protected information of Indian citizens to
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 1
Page 2 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
unauthorised persons. We fear that this leak could jeopardise the privacy of millions of
Indians, lead to an identity theft of the beneficiaries and/ or weaponization of sensitive
data against individuals or groups of individuals with the intent to threaten, influence or
exploit them.
4. We urge you to patch this vulnerability at the earliest and take other remedial actions,
including initiation of an inquiry, to stop the continued breach of the privacy of several
individuals of Indian nationality.
We request you to see below the substantive recommendations separately attached to this
covering letter, drafted with the help of Sourajeet Majumder. We remain at your disposal should
you wish to discuss the matter further.
Kind Regards,
Rohin Garg,
Associate Policy Counsel,
Internet Freedom Foundation,
rohin@internetfreedom.in
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 2
Page 3 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
Additional details regarding the security misconfiguration at S3WaaS Portal leading to
data leak of several Indian citizens
1. The basis of this information is research conducted and shared by an independent
security researcher, Sourajeet Majumder, and then subsequent research and verification
by the staff of the Internet Freedom Foundation.
2. This representation is aimed towards disclosing a potential vulnerability on S3WaaS
infrastructure leading to leakage of health data of several citizens. However, the breach
has since then expanded and now several new documents, hosted at cdn.s3waas.gov.in
are being indexed on search engines and are publicly available. These documents are
no longer restricted to data of health workers, and now include personally identifiable
information of other people as well.
3. With the help of customised dorks, it was possible to get access to a huge number of
other structured data files, each containing a different set of sensitive data. Many of
these indexed files from the CDN contained Aadhaar numbers, Ration Card numbers,
Passport numbers, scanned images of passbooks, positive and negative RT-PCR
results, PII of students, FIR copies and bank account details. Additionally, numerous files
containing Personally Identifiable Information such as name, age, gender, address,
mobile number, applicant photo, UID number, EPIC number, bank account details of
those who are beneficiaries under different Government schemes were found.
4. In this case, the Dorks are able to fetch these data files as they are being indexed by
Search Engines. To restrict a Search Engine from indexing the contents from a CDN, the
developer is expected to declare indexing rules. This can be done by using the
Robots.txt file and noindex meta tag. In all probability, no such indexing rules are set for
cdn[.]s3waas[.]gov[.]in.
5. Additionally it was found that the Content Delivery Network (CDN) has been set up to
work with S3 buckets, which stores a massive amount of public and private documents.
It is speculated that the permission for these buckets were set to “Public”, to allow the
CDN to serve the contents, but very little care was taken to protect the sensitive files
which were present. However, after the initial report to NCIIPC, it was noticed that
access to a selective number of sensitive files stored in these buckets were revoked
(Figure 1).
Figure 1: Revoked access to sensitive files
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 3
Page 4 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
6. The vulnerability was first noticed on 16th January, 2022, when a gov[dot]in domain was
left exposed, resulting in several structured data files of many Indians containing
sensitive personal information becoming accessible by a simple Google search.
Personally Identifiable Information, Aadhaar number, Ration card number, Scanned
images of passbooks, Negative and Positive RT-PCR results (huge number), Passport
number, FIR copies, Student data, Bank account details, etc. could be accessed as
these results were indexed by search engines. It also appears that several malicious
actors have been able to exploit the vulnerability and have now dumped the data on data
breach marketplaces.
7. The above-mentioned vulnerability can be reproduced by following the below-mentioned
steps:
7.1. Visit google.com and type the following search queries:
7.1.1. site:cdn.s3waas.gov.in intext:"आधार" AND "नाम" (To view indexed docs
that might contain Aadhaar Numbers)
7.1.2. site:cdn.s3waas.gov.in intext:"Ration card" (To view indexed docs that
might contain Ration Numbers)
7.1.3. site:cdn.s3waas.gov.in intext:"Bank Account No" (To view indexed docs
that might contain Bank Account Details)
7.1.4. site:cdn.s3waas.gov.in intext:"Scanned Image" (To view indexed docs
that might contain private/public Scanned Images)
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 4
Page 5 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
7.1.5. site:cdn.s3waas.gov.in intext:"Negative" AND "Name" (To view indexed
docs that might contain Negative RT-PCR reports)
7.1.6. site:cdn.s3waas.gov.in intext:"Positive" (To view indexed docs that
might contain Positive RT-PCR reports)
7.1.7. site:cdn.s3waas.gov.in intext:"Passport Number" filetype:pdf (To view
indexed docs that might contain Passport Numbers)
7.1.8. site:cdn.s3waas.gov.in intext:"योजना" AND "Aadhar Number" (To view
indexed docs that might contain Aadhaar No)
7.1.9. site:cdn.s3waas.gov.in intext:"Police Station" AND "Complainant" (To
view indexed docs that might contain FIR copies)
7.1.10. site:cdn.s3waas.gov.in intext:"Student Name" AND "Class" (To view
indexed docs that might contain student data)
7.1.11. site:cdn.s3waas.gov.in intext:"Student Name" AND "Mobile" (To view
indexed docs that might contain student data)
7.1.12. site:cdn.s3waas.gov.in beneficiaries list (To view indexed docs that
might contain PII of those who are beneficiaries under different Govt
schemes)
8. A massive amount of data was left exposed due to this security misconfiguration and
thus it is not viable to provide an accurate estimation of the true extent of this data leak.
At the time of preparing this report, about 10,20,000 data files (both public and private)
from cdn[.]s3waas[.]gov[.]in were found indexed by the Google search engine (Figure 2).
In addition, new data files were getting indexed in every 24 hours period (Figure 3).
Figure 2: Indexed data files
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 5
Page 8 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
10. Around 597 PDF files were found containing Personally Identifiable Information such as
SRF ID, name, age, sex, address, contact number, test result, etc. of hundreds of
thousands of Indians who took the RT-PCR test (Figure 6).
Figure 6: PII of individuals who took the RT-PCR test
Figure 7: PII of individuals who tested COVID-19 positive
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 8
Page 9 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
Figure 8: PII of individuals who tested COVID-19 negative
11. Numerous structured data files were found containing sensitive data of many Indians
who are beneficiaries under different Government schemes. For example:
11.1. At least 24 PDF files were found containing Personally Identifiable Information
and photos of 21,200+ applicants of Noida Dadri Ration Distribution (Figure 9).
Figure 9: PII of Noida Dadri Ration Distribution applicants
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 9
Page 10 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
11.2. At least 3 PDF files were found containing the name, Aadhaar number, and the
relative's name of 33,352 beneficiaries of Pradhan Mantri Awas Yojana (PMAY)
(FIgure 10).
Figure 10: Leaked data of PMAY beneficiaries
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 10
Page 11 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
11.3. Files containing the name, parents’ name, address, mobile number, age, annual
income and Aadhaar number of beneficiaries of Mukhvamantri Kalakar Sahavata
Yoiana (MKSY), 2018 were found (Figure 11).
Figure 11: Leaked data of beneficiaries of MKSY
11.4. List of beneficiaries of National Food Security Act (NFSA), 2013 along with list of
potential members whose Aadhaar number are required to be seeded (Figure
12).
Figure 12: Leaked data of NFSA beneficiaries
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 11
Page 12 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
12. Besides, several other random data files were also found containing Aadhaar numbers,
Ration Card numbers, Passport numbers, scanned images of passbooks, PII of
students, FIR copies and bank account details.
Figure 13: Leaked bank account details
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 12
Page 13 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
Figure 14: Leaked bank account details of students
Figure 15: Leaked ration number of relief assistance beneficiaries
Figure 16: Leaked bank details of AMPHAN beneficiaries
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 13
Page 14 of 17
internetfreedom.in policy@internetfreedom.in +91 011 4143 7971
Figure 17: Leaked bank details of West Pakistan refugees
Figure 18: Leaked passport number of international travellers
I-1718, Chittaranjan Park, New Delhi, Delhi 110019 14