The issue of data security has been at the forefront since the federal government introduced the national identity database.
In December 2021, Isa Pantami, minister of communications and digital economy, had announced that 71 million Nigerians had been captured on the database.
As more Nigerians registered, is the NIN database free from hackers?
On Monday, a hacker identified as Sam claimed he successfully found a bug on the server of Nigeria’s National Identity Management Commission (NIMC) — revealing how easy it was for him to breach the server and access the personal information of millions of people.
According to Sam, he came across these data while sourcing for something else to help him decompile some applications he was working on.
“As usual, I am hunting for something in the source code of the application, As the scope is huge, So I collected all the applications and decompiled them all at once with apktool with this command: find . -iname “*.apk” -exec apktool d -o {}_out {} \;” he said.
“Now I started to look for something juicy in decompiled files, but as there are about 50+ applications, I can’t look at each of them manually right? I just got an idea of nuclei, and boom I knew there are templates for android applications, I just downloaded them and, started nuclei on the whole directory,
“After 18–19 mins of a run, Nuclei gave an output saying S3 Bucket Found, I tried to access it via AWS CLI, and it’s like: Acess denied, No luck there.
“Then after a few mins of running, I’ve got one more output for s3 bucket, I casually tried to access it without any hope, and damn! the s3 bucket is full of juice.
“And I was just like: I just simply got access to their data of internal files, Users, and everything they have, I can download everything, Even the whole bucket.”
The hacker also posted the data he obtained in the process — a copy of the national identity slip from NIMC but defaced it to hide vital information.
A security expert explained that Amazon secures S3 buckets by default but for a bucket to be publicly accessible to any hacker, as was the case with Sam, someone must have leaked it.
Hours later, the hacker recanted that the leaked sever was not from any Nigerian portal but Tecno Mobile.
He said he reported the case to Tecno, and the bug fixed.
He also edited the article published on Medium and removed a copy of the national ID posted as a screenshot in the story — but failed to explain why he mentioned Nigeria’s ID database in the previous version.
Speaking with TheCable on the development, Boye Adegoke, senior program manager at Paradigm Initiative, said there is the possibility of negligence on the part of NIMC.
“If the story is true, it is negligence on the part of NIMC, but what is more worrisome is the fact that after this, what happens next? Are we going to talk and act as if nothing happened? Will someone get punished?” Adegoke asked.
The data privacy activist noted that the approach and attitude of NIMC toward the management of national data is poor.
“I wouldn’t really be surprised if this is true because I have always believed that the cyber security approach and our attitude show we don’t understand the process and how it works,” he added.
In a statement on Tuesday, NIMC said its servers are secure for identity management and optimised.
“The National Identity Management Commission (NIMC) wishes to inform the public that its servers were not breached but are fully optimised at the highest international security levels as the custodian of the most important national database for Nigeria,” the statement reads.
“The NIMC Director-General stated that the Commission does not use nor store information on the AWS cloud platform or any public cloud despite the usefulness of the NIMC Mobile App available to the public for accessing their NIN on the go.”
TheCable