The issue of data security has been at the forefront since the federal government introduced the national identity database.
In December 2021, Isa Pantami, minister of communications and digital economy, had announced that 71 million Nigerians had been captured on the database.
As more Nigerians registered, is the NIN database free from hackers?
On Monday, a hacker identified as Sam claimed he successfully found a bug on the server of Nigeria’s National Identity Management Commission (NIMC) — revealing how easy it was for him to breach the server and access the personal information of millions of people.
According to Sam, he came across these data while sourcing for something else to help him decompile some applications he was working on.
“As usual, I am hunting for something in the source code of the application, As the scope is huge, So I collected all the applications and decompiled them all at once with apktool with this command: find . -iname “*.apk” -exec apktool d -o {}_out {} \;” he said.
“Now I started to look for something juicy in decompiled files, but as there are about 50+ applications, I can’t look at each of them manually right? I just got an idea of nuclei, and boom I knew there are templates for android applications, I just downloaded them and, started nuclei on the whole directory,
“After 18–19 mins of a run, Nuclei gave an output saying S3 Bucket Found, I tried to access it via AWS CLI, and it’s like: Acess denied, No luck there.
“Then after a few mins of running, I’ve got one more output for s3 bucket, I casually tried to access it without any hope, and damn! the s3 bucket is full of juice.
“And I was just like: I just simply got access to their data of internal files, Users, and everything they have, I can download everything, Even the whole bucket.”
The hacker also posted the data he obtained in the process — a copy of the national identity slip from NIMC but defaced it to hide vital information.
A security expert explained that Amazon secures S3 buckets by default but for a bucket to be publicly accessible to any hacker, as was the case with Sam, someone must have leaked it.
Hours later, the hacker recanted that the leaked sever was not from any Nigerian portal but Tecno Mobile.
He said he reported the case to Tecno, and the bug fixed.
Guys, I am a bug hunter , and recently I found a S3 bucket, in @TecnoSRC company’s bug bounty program, and the bucket is open and it contained the data of company , Now news headlines are , messing everything here, I’ve starigtly reported it to Tecno, and they fixed it within..
Sam (@__Sam0_0) January 10, 2022
He also edited the article published on Medium and removed a copy of the national ID posted as a screenshot in the story — but failed to explain why he mentioned Nigeria’s ID database in the previous version.
New Write-up on InfoSec Write-ups publication : “A TALE OF 5250$ : HOW I ACCESSED MILLIONS OF USER’S DATA INCLUDING THEIR NATIONAL ID’S” #bugbounty #bugbountywriteup #bugbountytips https://t.co/abNL2t5D4E
In a statement on Tuesday, NIMC said its servers are secure for identity management and optimised.
“The National Identity Management Commission (NIMC) wishes to inform the public that its servers were not breached but are fully optimised at the highest international security levels as the custodian of the most important national database for Nigeria,” the statement reads.
“The NIMC Director-General stated that the Commission does not use nor store information on the AWS cloud platform or any public cloud despite the usefulness of the NIMC Mobile App available to the public for accessing their NIN on the go.”
-Thecable
