BreachExchange mailing list archives
Proposed government coronavirus tracking app falls at the first hurdle due to data breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 20 Apr 2020 09:25:14 -0500
https://www.zdnet.com/article/proposed-government-coronavirus-app-falls-at-the-first-hurdle-due-to-data-breach/ A mobile application proposed to the government of the Netherlands as a means to track COVID-19 has already fallen short of acceptable security standards by leaking user data. The app, Covid19 Alert, was one of seven applications presented to the Ministry of Health, Welfare, and Sport, as reported by RTL Nieuws. The shortlisted mobile app's source code was published online over the weekend for scrutiny as the government decides which solution to back. It was not long before developers realized that the source files contained user data -- originating from another application. According to the publication, the app contained close to 200 full names, email addresses, and hashed user passwords stored in a database from another project linked to an Immotef developer. The source code was quickly pulled, but the damage was already done, with one developer criticizing the leak as "amateurish." A spokesperson for the Covid19 Alert app said the information was "accidentally put online" due to the haste in which the team wanted to make the source code available for analysis. The developers are working on improvements, but it remains to be seen if Covid19 Alert will go any further in the selection process, which is ongoing. Mobile technology, specifically our smartphones and tablets, provides an opportunity for healthcare providers, governments, and researchers to be able to accurately track the spread of the novel coronavirus moving through populations. However, forcing the general public to install these kinds of applications has prompted a number of privacy and security concerns, including how geolocation data is stored and could otherwise be used, whether or not information can be anonymized properly, and how tracking individuals in the future could erode rights to free movement, speech, and association. At the beginning of April, 130 scientists, academics, and technology experts launched the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) initiative, a European scheme designed to oversee the development of COVID-19 tracker apps. Earlier this month, researchers from Boston University proposed an alternative method for tracking COVID-19 that does not impede our privacy. A voluntary mobile application is installed on our smartphones that leverages short-range broadcast technology -- such as NFC or Bluetooth -- and blasts out ID numbers, that change on a frequent basis, to those nearby. These numbers are stored on the device itself and users can choose to share them if they are diagnosed with COVID-19 to alert others that they have been in contact with a confirmed case. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Proposed government coronavirus tracking app falls at the first hurdle due to data breach Destry Winant (Apr 20)
- <Possible follow-ups>
- Proposed government coronavirus tracking app falls at the first hurdle due to data breach Destry Winant (Apr 21)