A safety flaw in an internet site run by the federal government of West Bengal in India uncovered the lab outcomes of at the very least a whole lot of hundreds of residents, although possible hundreds of thousands, who took a COVID-19 check.
The web site is a part of the West Bengal authorities’s mass coronavirus testing program. As soon as a COVID-19 check result’s prepared, the federal government sends a textual content message to the affected person with a hyperlink to its web site containing their check outcomes.
However safety researcher Sourajeet Majumder discovered that the hyperlink containing the affected person’s distinctive check identification quantity was scrambled with base64 encoding, which may be simply transformed utilizing on-line instruments. As a result of the identification numbers have been incrementally sequenced, the web site bug meant that anybody may change that quantity of their browser’s tackle bar and think about different sufferers’ check outcomes.
The check outcomes include the affected person’s identify, intercourse, age, postal tackle and if the affected person’s lab check consequence got here again optimistic, detrimental or inconclusive for COVID-19.
Majumder instructed TechCrunch that he was involved a malicious attacker may scrape the positioning and promote the info. “It is a privateness violation if someone else will get entry to my personal info,” he stated.
Majumder reported the vulnerability to India’s CERT, the nation’s devoted cybersecurity response unit, which acknowledged the difficulty in an e mail. He additionally contacted the West Bengal authorities’s web site supervisor, who didn’t reply. TechCrunch independently confirmed the vulnerability and in addition reached out to the West Bengal authorities, which pulled the web site offline, however didn’t return our requests for remark.
TechCrunch held our report till the vulnerability was fastened or not introduced a threat. On the time of publication, the affected web site stays offline.
It’s not identified precisely what number of COVID-19 lab outcomes have been uncovered due to this safety lapse, or if anybody aside from Majumder found the vulnerability. On the time the web site was pulled offline on the finish of February, the state authorities had examined greater than 8.5 million residents for COVID-19.
Dr Lal PathLabs, one of India’s largest blood test labs, exposed patient data
West Bengal is without doubt one of the most populated states of India, with about 90 million residents. Because the begin of the pandemic, the state authorities has recorded greater than 10,000 coronavirus deaths.
It’s the newest of a number of safety incidents previously few months to hit India and its response to the coronavirus pandemic.
Final Could, India’s largest cell community Jio admitted a security lapse after a safety researcher discovered a database containing the corporate’s coronavirus symptom checker, which Jio had launched months earlier.
In October, a safety researcher discovered Dr Lal PathLabs left a whole lot of spreadsheets containing millions of patient booking records — together with for COVID-19 checks — on a public storage server that was not protected with a password, permitting anybody to entry delicate affected person knowledge.
Ship ideas securely over Sign and WhatsApp to +1 646-755-8849. You can even ship recordsdata or paperwork utilizing SecureDrop.
Source link