A safety flaw in an internet site run by the federal government of West Bengal in India uncovered the lab outcomes of not less than a whole lot of hundreds of residents, although seemingly thousands and thousands, who took a COVID-19 take a look at.
The web site is a part of the West Bengal authorities’s mass coronavirus testing program. As soon as a COVID-19 take a look at result’s prepared, the federal government sends a textual content message to the affected person with a hyperlink to its web site containing their take a look at outcomes.
However safety researcher Sourajeet Majumder discovered that the hyperlink containing the affected person’s distinctive take a look at identification quantity was scrambled with base64 encoding, which will be simply transformed utilizing on-line instruments. As a result of the identification numbers have been incrementally sequenced, the web site bug meant that anybody may change that quantity of their browser’s deal with bar and look at different sufferers’ take a look at outcomes.
The take a look at outcomes comprise the affected person’s identify, intercourse, age, postal deal with, and if the affected person’s lab take a look at end result got here again constructive, unfavorable, or inconclusive for COVID-19.
Majumder informed TechCrunch that he was involved a malicious attacker may scrape the positioning and promote the information. “This can be a privateness violation if any person else will get entry to my non-public info,” he mentioned.
Majumder reported the vulnerability to India’s CERT, the nation’s devoted cybersecurity response unit, which acknowledged the problem in an e-mail. He additionally contacted the West Bengal authorities’s web site supervisor, who didn’t reply. TechCrunch independently confirmed the vulnerability and in addition reached out to the West Bengal authorities, which pulled the web site offline, however didn’t return our requests for remark.
TechCrunch held our report till the vulnerability was fastened or now not offered a threat. On the time of publication, the affected web site stays offline.
It’s not recognized precisely what number of COVID-19 lab outcomes have been uncovered due to this safety lapse, or if anybody aside from Majumder found the vulnerability. On the time the web site was pulled offline on the finish of February, the state authorities had examined greater than 8.5 million residents for COVID-19.
West Bengal is without doubt one of the most populated states of India, with about 90 million residents. Because the begin of the pandemic, the state authorities has recorded greater than 10,000 coronavirus deaths.
It’s the most recent of a number of safety incidents prior to now few months to hit India and its response to the coronavirus pandemic.
Final Could, India’s largest cell community Jio admitted a safety lapse after a safety researcher discovered a database containing the corporate’s coronavirus symptom checker, which Jio had launched months earlier.
In October, a safety researcher discovered Dr Lal PathLabs left a whole lot of spreadsheets containing thousands and thousands of affected person reserving information — together with for COVID-19 assessments — on a public storage server that was not protected with a password, permitting anybody to entry delicate affected person knowledge.
Ship ideas securely over Sign and WhatsApp to +1 646-755-8849. You can even ship recordsdata or paperwork utilizing SecureDrop.