A report in the Indian edition of the Huffington Post said the patch in question was available for as little as 2500 Indian rupees (A$48.50) and could be used by anyone to generate Aadhaar numbers.
Every citizen is expected to have an Aadhaar number in order to obtain everything from a mobile phone to a bank account.
In January, when there were reports that personal details of Indian citizens were being sold cheaply online, police asked for an investigation into the newspaper that reported the story.
Huffington Post reporters Rachna Khaira, Aman Sethi and Gopal Sathe wrote that, following an investigation lasting three months, they had obtained the patch themselves and had it analysed by both Indian and foreign software experts.
Those who enrol new users have to use biometric authentication themselves, but the patch allows anyone to bypass this stricture, the trio wrote.
The patch also disabled the in-built GPS checks - which identified the location of an enrolment centre - meaning that anyone located anywhere could now enrol users.
A third thing that the patch did was to lessen the sensitivity of the enrolment software's iris recognition system. This meant that one could use a photograph of an operator and deceive the software; the physical presence of the operator could be avoided.
The experts consulted by the three reporters said that the patch was compromising fundamental attributes of the enrolment software and only a rewrite from scratch would fix it.
One of the experts, Gustaf Björksten, chief technologist at Access Now, a global technology policy and advocacy group, told the Huffington Post: "There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile.
"To have any hope of securing Aadhaar, the system design would have to be radically changed."
A cyber security analyst based in Bangalore, Anand Venkatanarayanan, said the patch was put together by using code from older versions of the enrolment software to newer versions.
The reporters said they had asked the Indian authorities for comment but had not received any response from either the Unique Identification Authority of India or the National Critical Information Infrastructure Protection Centre, the latter being the entity responsible for providing security for the database.