The issue of data security has been at the forefront since
the federal government introduced the national identity database.
In December 2021, Isa Pantami, minister of communications
and digital economy, had announced that 71 million Nigerians had been captured
on the database.
As more Nigerians registered, is the NIN database free from
hackers?
On Monday, a hacker identified as Sam claimed he
successfully found a bug on the server of Nigeria’s National Identity
Management Commission (NIMC) — revealing how easy it was for him to breach the
server and access the personal information of millions of people.
According to Sam, he came across these data while sourcing
for something else to help him decompile some applications he was working on.
“As usual, I am hunting for something in the source code of
the application, As the scope is huge, So I collected all the applications and
decompiled them all at once with apktool with this command: find . -iname
“*.apk” -exec apktool d -o {}_out {} \;” he said.
“Now I started to look for something juicy in decompiled
files, but as there are about 50+ applications, I can’t look at each of them
manually right? I just got an idea of nuclei, and boom I knew there are
templates for android applications, I just downloaded them and, started nuclei
on the whole directory,
“After 18–19 mins of a run, Nuclei gave an output saying S3
Bucket Found, I tried to access it via AWS CLI, and it’s like: Acess denied, No
luck there.
“Then after a few mins of running, I’ve got one more output
for s3 bucket, I casually tried to access it without any hope, and damn! the s3
bucket is full of juice.
“And I was just like: I just simply got access to their data
of internal files, Users, and everything they have, I can download everything,
Even the whole bucket.”
The hacker also posted the data he obtained in the process —
a copy of the national identity slip from NIMC but defaced it to hide vital
information.
A security expert explained that Amazon secures S3 buckets
by default but for a bucket to be publicly accessible to any hacker, as was the
case with Sam, someone must have leaked it.
Hours later, the hacker recanted that the leaked sever was
not from any Nigerian portal but Tecno Mobile.
He said he reported the case to Tecno, and the bug fixed.
Guys, I am a bug hunter , and recently I found a S3 bucket, in @TecnoSRC company's bug bounty program, and the bucket is open and it contained the data of company , Now news headlines are , messing everything here, I've starigtly reported it to Tecno, and they fixed it within..
— Sam (@__Sam0_0) January 10, 2022
He also edited the article published on Medium and removed a copy of the national ID posted as a screenshot in the story — but failed to explain why he mentioned Nigeria’s ID database in the previous version.
New Write-up on InfoSec Write-ups publication : "A TALE OF 5250$ : HOW I ACCESSED MILLIONS OF USER’S DATA INCLUDING THEIR NATIONAL ID’S" #bugbounty #bugbountywriteup #bugbountytips https://t.co/abNL2t5D4E
— InfoSec Community (@InfoSecComm) January 10, 2022
Speaking with TheCable on the development, Boye Adegoke,
senior program manager at Paradigm Initiative, said there is the possibility of
negligence on the part of NIMC.
“If the story is true, it is negligence on the part of NIMC,
but what is more worrisome is the fact that after this, what happens next? Are
we going to talk and act as if nothing happened? Will someone get punished?”
Adegoke asked.
The data privacy activist noted that the approach and
attitude of NIMC toward the management of national data is poor.
“I wouldn’t really be surprised if this is true because I
have always believed that the cyber security approach and our attitude show we
don’t understand the process and how it works,” he added.
In a statement on Tuesday, NIMC said its servers are secure
for identity management and optimised.
“The National Identity Management Commission (NIMC) wishes
to inform the public that its servers were not breached but are fully optimised
at the highest international security levels as the custodian of the most
important national database for Nigeria,” the statement reads.
“The NIMC Director-General stated that the Commission does not use nor store information on the AWS cloud platform or any public cloud despite the usefulness of the NIMC Mobile App available to the public for accessing their NIN on the go.”
Click to signup for FREE news updates, latest information and hottest gists everydayAdvertise on NigerianEye.com to reach thousands of our daily users
No comments
Post a Comment
Kindly drop a comment below.
(Comments are moderated. Clean comments will be approved immediately)
Advert Enquires - Reach out to us at NigerianEye@gmail.com