Millions Exposed in #COVID19 Surveillance Platform Snafu
Over eight million patients in India had their personal and medical details exposed after security researchers discovered multiple vulnerabilities in a government-run COVID-19 surveillance system.
The “Surveillance Platform Uttar Pradesh Covid-19” software was first discovered by vpnMentor researchers via a web scan on August 1 2020. After contacting CERT-In and the cybercrime department of the Uttar Pradesh government, the issues were finally remediated on September 10.
The research team found two main problems: an unsecured git repository containing code for the platform as well as plain text admin credentials and a separate index of CSV files containing daily COVID-19 patient reports, which was accessible without a password.
Personal data exposed included full names, addresses, phone numbers, diagnoses, symptoms and medical records.
Even worse, the passwords in the git repository were listed twice, once in easy-to-crack, unsalted MD5 hashes. Most were simply four-digit numbers, often linked to the same code as that of the platform’s administrators, the report noted.
“It appears that no security audits were undertaken on the git repository to review who had access to the data, and to implement robust security protocols, despite numerous parties spread throughout Uttar Pradesh using the surveillance platform to upload data,” said vpnMentor.
“As a result, anyone with knowledge of the platform’s URL and access to the git repository could gain complete access to its admin dashboard. Not only did this expose any data stored therein to possible theft, but, based on additional information stored on the git repository, we believe that once a hacker had access to the admin dashboard of the surveillance platform, they would have complete control.”
The security snafu therefore could have had several unintended consequences: offering hostile nations an opportunity to disrupt state efforts to tackle the pandemic, as well as providing a trove of sensitive data for cyber-criminals to craft follow-on phishing and identity fraud attacks.