5 times Elliot Alderson exposed the flaws in India's system
Robert Baptiste, a French security researcher who goes by the moniker Elliot Alderson and uses the handle @fs0c131y on Twitter, has been causing ripples continents apart, close to home in India. Baptiste has been in the thick of things since he has single-handedly managed to embarrass not just UIDAI but also the Congress and the BJP ahead of the 2019 general elections.
Amid the furore caused by the Facebook-Cambridge Analytica scandal, which saw personal data of as many as 50 million Facebook users being harvested and later used to influence voter behaviour in the Brexit referendum and more notably the US presidential polls, the allegation that personal information of Indian users was also being leaked to voter profiling firms has come as a blow to these self-proclaimed guardians of democracy.
NaMo app
On March 25, Baptiste pointed out that Prime Minister Narendra Modi's official Android app was sending personal user data to a third-party domain traced to the US company Clever Tap. The latter calls itself the “next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers”.
Thus, the app was not only collecting personal data of citizens — that may also include their voter ID — it was also sending it to a US-based "analytics" company without user consent.
.@narendramodi, I know privacy is not your thing but any thoughts about sharing the personal data of your users without their consent to a third-party company?
— Elliot Alderson (@fs0c131y) March 23, 2018
What's worse is that this exposé came a week after the PMO requested for the mobile numbers and email IDs of more than 15 lakh students of the National Cadets Corps (NCC) under the pretext that PM Modi wants to directly interact with the cadets, bearing another recommendation that all students download the NaMo app on their smartphones.
Flaws in Congress app
Baptiste's other major piece of ethical hacking business this week has been his exposé of how not just the NaMo app, but also the Congress app was stealing data from its users.
On March 26, he exposed how the official Android app of the Indian National Congress sends the personal data of users to the party’s website without the consent of the users. Additionally, Baptiste said that the app’s encryption is encoded through HTTP, which is considered an insecure way to transfer data, adding to the mix the possibility of data leaks.
Post this revelation, the Congress App was no longer available on Google Play Store — it had been taken down.
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to https://t.co/t1pidQUmtq. pic.twitter.com/6RH0ORYrQd
— Elliot Alderson (@fs0c131y) March 26, 2018
Paytm gaining root access to user phones
Earlier in the month, Baptiste also exposed how Paytm was potentially putting the phones of its users at risk by asking them for root access to their devices. In an interview to The Times of India, he explained that "root access is essentially one of the most significant entry points for any Android device which can manipulate the operating system of the phone. It can access other app information, chat details, among many other things on the device".
The report further added, "This is not an Android permission like having access to text messages and a user’s phone book. Unless totally savvy with technology, allowing root access is not advised by tech experts."
At the time, Paytm CEO Vijay Shekhar Sharma had tweeted that the National Payments Corporation of India (NPCI) had asked the app maker to check for rooted devices before enabling access to UPI payments.
After his exposé, however, Paytm chose to stop asking for root access to devices its app was being installed on.
.@Paytm here I come!Spoiler: There is no good reason to ask root permission for this app pic.twitter.com/IFinNotFaL
— Elliot Alderson (@fs0c131y) March 8, 2018
Frailities in Aadhaar, UIDAI security protocols
On March 14, this vigilante hacker again took to Twitter to expose how the government mandated Aadhaar was letting users down with its shaky security foundations. In a tweet, he posted screenshots, along with a URL of the Andhra Pradesh government’s website, revealing how biometric data and Aadhaar card scans of people were openly available.
Hi @UIDAI and @ceo_uidai, let me show you one of the "unscrupulous elements". This governmental website is leaking 4769 files. In this open directory you can find biometric data, #Aadhaar card scans and more.https://t.co/RcoMlnD6jo pic.twitter.com/HugQ65MdYf
— Elliot Alderson (@fs0c131y) March 14, 2018
The vulnerability, like many before it, was later fixed without so much as an acknowledgement of the flaw. The incident, however, did manage to publicly embarrass UIDAI – the government body entrusted with safeguarding the Aadhaar data – exposing once again the glaring frailities in its system.
Vulnerabilities in Indian Post, ISRO and BSNL
The ethical hacker, in the recent past, has also raised security concerns over the security of data stored on the servers of ISRO, Indian Post and BSNL. In the former's case, it was to one of the computers in its satellite-tracking unit; while in BSNL’s case, it was employee data from its intranet and at India Post, it was employee bank details.
Please @IndiaPostOffice contact me by DM. Your users' data is at stake.If someone has a relevant contact it will be really appreciate! https://t.co/WUk3d4Ovjk
— Elliot Alderson (@fs0c131y) March 8, 2018
Even though the credit for exposing these flaws chiefly lies with Baptiste, the reality is that the flaws had been brought to the notice of these companies by Indian hackers much before. However, no action was taken until the French hacker tweeted about the issue.
But who is Robert Baptiste?
As revealed in an interview with AndroidPit earlier last year, the man behind these exposés is a 28-year-old French citizen, Robert Baptiste.
Speaking to Scroll.in, Baptiste confirmed that his "formal educational qualification is that of a network and telecommunications engineer, and professionally, he is a freelance Android developer".
If his Twitter profile is anything to go by, the Frenchman seems inspired by the protagonist from the television series, Mr Robot – a show revolves around the life of vigilante hacker and cybersecurity expert "Elliot Alderson", who takes on the rich and corrupt in the society with his hacking skills.
However, in his interview with the publication, Baptiste explained that "neither is he a fan of the show Mr Robot nor is he a watcher of hacker-related movies. Explaining his motivations, he said, “the Snowden revelations have been a big boost for me to dig more into the subject... By nature, I’m curious and I like to understand how things are working which often leads by finding security flaws.”