# Sneaking into your documents: How I hacked DigiLocker?

![](https://miro.medium.com/v2/resize:fit:1200/0*imgWteYlHRtHxaJE.jpg align="center")

Hello, friend.

Ever wonder what it feels like to hold someone’s entire digital identity in your hands? To have the power to become anyone you want? That’s the rabbit hole I fell into when I decided to poke around DigiLocker.

You see, DigiLocker is supposed to be this fortress of digital documents. Aadhaar cards, PAN cards, mark sheets — all the little pieces that make up a person’s official existence. But here’s the thing about fortresses, they always have a weak spot. You just need to know where to look.

DigiLocker has a multi-factor authentication (MFA) setup to keep your account secure. A 6-digit security PIN, followed by an OTP verification. Sounds impenetrable, right? Well, only if it was implemented correctly.

> **“People always make the best exploits. I’ve never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign.” ~Elliot Alderson**

It started innocently enough. I entered my phone number for the login process, and that’s when I saw it — a POST request revealing all accounts linked to that number, each with a unique `digilockerid`. I felt it, like a switch flipping in my mind. My Mr. Robot persona, surging to the forefront. Dissociative identity disorder? Maybe. Hacker instinct? Definitely.

![](https://cdn-images-1.medium.com/max/1600/1*2uTkmZ9bJ42BJ455ZchW2A.png align="left")

This was just the beginning, and I knew we were in for a wild ride. I fired up Burp Suite. I entered my PIN and landed on the OTP verification page. But wait, what’s this? An option to update the mobile number? Interesting.

I clicked it, and — an OTP was sent to the phone number registered with UIDAI, the one linked to my Aadhaar card. I entered the OTP, and I was presented with a screen to enter a new phone number.

![](https://cdn-images-1.medium.com/max/1600/1*cAz3ikFNYT-J9UJEulAn_A.png align="left")

But the real magic happened when I intercepted this request. There was a parameter called **“user”** which was nothing but the `digilockerid`.

I swapped my `digilockerid` with a friend’s (don’t worry, he was in on it). Hit send, and… holy shit! His DigiLocker account was now linked to my phone number. Just like that, I’d picked the lock on someone’s digital safe.

![](https://cdn-images-1.medium.com/max/1600/1*y3aE5navYmJMfwZEzCjeIw.png align="left")

But the rabbit hole went deeper. I couldn’t log in without his 6-digit PIN. Brute force? Nah, too noisy, even though their IP-based rate limiting was a joke and could’ve been easily bypassed by rotating IPs. Instead, I whispered to DigiLocker, *“Hey, I forgot my security PIN. Can you help me out?”*

The **“Forgot PIN”** process asked for the account, phone number, and date of birth from the linked Aadhaar card. A speed bump, sure, but nothing a little social engineering couldn’t solve. For testing, I used my own account details first.

And there it was again — that same flow we saw earlier. I intercepted the request, did it dirty by swapping in my friend’s `digilockerid`, and…

![](https://cdn-images-1.medium.com/max/1600/1*85sr3pVdWAEl81TlqAOWTA.png align="left")

I was in. Full access to someone else’s digital life. Aadhaar card, PAN card, mark sheets, everything. It’s enough to make you want to put on a hoodie and disappear into the night.

> **“The world is a dangerous place, Elliot, not because of those who do evil, but because of those who look on and do nothing.” ~Mr. Robot**

Being an intern at DigiLocker back then, I quickly escalated the issue to the concerned team. They resolved it swiftly. Crisis averted.

But before I end this, I want to give credit where it’s due. This was no solo mission. [Meet Suthar](https://www.linkedin.com/in/meetsuthar04) was alongside me throughout. Together, we spent sleepless nights discovering this vulnerability and worked to ensure it was patched up. So, a big shoutout to Meet for being an essential part of this wild ride.

Signing off.
