Elliot Alderson: The ethical hacker who exposed Aadhaar's security flaws
A few weeks ago, French security researcher Baptiste Robert, who is better known by his Twitter username Elliot Alderson, hacked into the Aadhaar app within a minute and reportedly gained access to 22,000 Aadhaar card details. This was not the first government platform he broke into. Who is Alderson and why has he been tearing apart Indian web portals?
Alderson is a French security expert and app developer
Alderson is a French security expert who is a network and telecommunications engineer by profession. He claims to have no ulterior motive behind his revelations other than highlighting serious security vulnerabilities so that they can be patched at the earliest. To be transparent about the whole process, Alderson openly communicates with the concerned organizations on Twitter, and often publicly posts DM conversations with them.
Alderson is inspired by renowned whistleblower Edward Snowden
The French developer draws inspiration from renowned whistleblower Edward Snowden. "By nature, I'm curious and I like to understand how things are working which often leads by finding security flaws," he said. The 28-year-old cybersecurity expert does not have any sort of team behind him and follows a "standard process" to find security flaws.
Here is how the Aadhaar fiasco started
Initially, Alderson had found a loophole in the Aadhaar's Android application which revealed that users' biometric data was being saved in a local database by app developers whose password wasn't too difficult to obtain. "These cards can be found on the internet. They are not on the UIDAI server. Everything is public, no hack is required," he said.
Which led to Alderson accessing 22,000 Aadhaar details in 1min
Aadhaar not the only platform Alderson has exposed
On February 25, Alderson accessed the database of the Telangana government's benefit disbursement portal TSPost. This contained personal information of 56 lakh beneficiaries of the National Rural Employment Guarantee scheme and 40 lakh beneficiaries of social security pensions. He had also earlier highlighted that Paytm was seeking root access to users' devices, after which the mobile payments company removed the root request.
Not impossible to achieve almost 100% privacy online: Alderson
Previously, Alderson has discovered vulnerabilities in the online portals of Punjab Police, Indian Postal Service, Apollo Hospitals, and BSNL. He says that even though it is "complicated," it is not entirely impossible to achieve almost 100% privacy online. Interestingly, his username has been inspired by a character by the same name from the television series Mr Robot, who is also a vigilante hacker.
