Advertisment

vpnMentor researchers discover massive vulnerability in BHIM mobile payment app

Scale of exposed data is extraordinary, affecting millions, all over India, and exposing them to potentially devastating fraud, theft and hackers

author-image
DQI Bureau
New Update
Bhim

The research team at vpnMentor, the world’s largest VPN review website offering a research lab that helps the online community defend itself against cyber threats and educates organizations on protecting their users’ data, announced the discovery of a massive data leak by the popular BHIM mobile payment app, affecting millions of users across India.

Advertisment

The BHIM (Bharat Interface for Money) mobile payment app was launched in 2016 by the National Payments Corporation of India (NPCI). By 2020, the NPCI recorded over 136 million downloads of the BHIM App. Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a massive amount of incredibly sensitive financial data connected to the BHIM mobile payment app was exposed to the public.

The website was being used in a campaign to sign large numbers of users and business merchants to the app from communities across India. According to vpMentor, some related data from this campaign was being stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible.

The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals.

Advertisment

The full report, detailing data leak details and samples of images leaked online has been published on vpnMentor’s site at https://www.vpnmentor.com/blog/report-csc-bhim-leak/

“The sheer volume of sensitive, private data exposed, along with UPI IDs, document scans, and more, makes this breach deeply concerning. The exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users’ account information. Having such sensitive financial data in the public domain or the hands of criminal hackers would make it incredibly easy to trick, defraud, and steal from the people exposed. Our research also suggested that some of the exposed BHIM users were minors, who would be particularly vulnerable to fraudulent schemes,” according to Noam Rotem and Ran Locar.

The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data.

bhim
Advertisment