The database of an Indian COVID-19 surveillance tool app exposing very sensitive information of around 8 million in people online.
The database of an Indian COVID-19 surveillance tool app exposing very sensitive information of around 8 million in people online.
The researchers from VPNMentor discovered the data breach that put the personal data of citizens at risk.
This COVID-19 tracking tool named “Surveillance Platform Uttar Pradesh COVID-19” belonged to the most populous Indian state Uttar Pradesh. The state has recorded the highest confirmed positive COVID-19 cases in India.
According to the researchers, the three vulnerabilities within the software are:
- An unsecured git repository was revealing technical information, including passwords to admin accounts on the platform and a SQL data dump.
- This made the platform’s admin dashboard accessible to anyone with the passwords taken from the git repository.
- A separate index of CSV files containing daily COVID-19 patient reports- available without a password or any other login credential.
The passwords we're just 4-digit numbers and many accounts shared the same 4-digit code as the platform’s administrator. Anyone could quickly gain access to the admin dashboard of the surveillance platform and would have complete control over it. This would allow them to modify entries, test results and alter the patient data.
The information in the database includes full names, age, gender, residence addresses, phone numbers, tracking dates and test results including test results of foreign residents in India who tested positive for coronavirus.
Researchers also found a link to CSV files through an exposed web index that contained testing data not only from UP but also other parts of India as the platform also integrated data acquired by India’s Central Government.
The breach was detected on August 1, 2020, and was reviewed and analysed by August 9, 2020. The authorities were contacted immediately, but there was no response from them. Later, on August 10, 2020, the breach was secured after contacting the CERT-In.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?