UP Govt's COVID-19 Tracker Bug Exposed Over 80 Lakh People's Private Data
The security flaw was highlighted recently by cyber security researchers Noam Rotem and Ran Locar. The researchers then raised the issue with CERT or Indian Computer Emergency Response Team The cyber threat response department has now patched the bugs.
The spread of COVID-19 in India gave rise to several contact tracing platforms that help monitor the outbreak. The one used by the Uttar Pradesh government has now been found to contain multiple bugs, leaving the private data of 8 million users exposed.
The security flaw was highlighted recently by cyber security researchers Noam Rotem and Ran Locar. Working on behalf of VPNMentor, the duo checked the ¡®Surveillance Platform Uttar Pradesh COVID-19¡¯, UP state government¡¯s official internal coronavirus tracking platform, for any loopholes.
The researchers then raised the issue with CERT or Indian Computer Emergency Response Team. The cyber threat response department has now patched the bugs and the previously exposed data in question is no longer vulnerable to malicious threats.
It is yet unclear if the existing vulnerabilities in the system were exploited till the time they were present or not. The report mentions that Rotem and Locar detected the breach on August 1 and verified it by August 9. Following this, they contacted authorities in the UP government and brought the security loopholes to their notice. The bugs were subsequently patched on September 10.
Multiple loopholes
As per the report, there were several bugs on the contact tracing system being used by the UP government. One was a vulnerable code repository including key login credentials of administrator accounts. These accounts further had access to the information database. This means an attack could have modified any information, including case statuses or patient data.
Another bug highlighted by the report mentions a vulnerable database, containing user data of people outside Uttar Pradesh as well. This data of over 8 million people mostly includes personal information such as names, addresses, tracking dates, test results and phone numbers.
The security researchers made attempts at ethical hacking of the system and then reported their findings to CERT. The vulnerabilities are now said to be fixed.