BreachExchange mailing list archives
India’s COVID-19 surveillance tool exposed millions of user data
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 24 Sep 2020 09:31:38 -0500
https://www.hackread.com/india-covid-19-surveillance-tool-exposed-user-data/ The COVID-19 surveillance tool built by the Uttar Pradesh state government has put data of approx. 8 million Indian citizens at risk. A research report from VPNmentor revealed that a COVID-19 surveillance tool dubbed Surveillance Platform Uttar Pradesh COVID-19 was compromised on August 1st, leading to a massive data breach. According to researchers, various vulnerabilities were exploited to compromise the surveillance platform, but the primary reason behind the breach was a severe lack of security. VPNnentor researchers noted that the regional government of Uttar Pradesh developed the tool as part of a large-scale mapping project. Its primary purpose was to track and trace coronavirus patients across India, and the lack of “data security protocols inadvertently left access to the platform-wide open,” exposing the data of millions in India. Researchers claim that the tool contained many vulnerabilities, all of which were exposing personally identifiable information data. The exposed data includes full names, gender, age, residential address, and contact numbers of everyone who had tested COVID-19 positive in Uttar Pradesh (UP), one of the country’s largest states, and other parts of India. The data was secured a month after VPNmentor’s team discovered it. According to VPNMentor’s analyst Ran Locar and Noam Rotem, the first vulnerability was identified in an unsecured and unencrypted git repository containing a “data dump” of login credentials, which included admin accounts usernames and passwords stored on the platform. CSV file listing individual daily cases and PII data (Image: vpnMentor) According to vpnMentor’s blog post, based on this discovery, the researchers found an exposed Web Index containing CSV files directory listing. It had information about all known cases of COVID-19 in UP and other locations in India. Sensitive private data, including full name, phone numbers, addresses, and test results of approximately 8 million citizens, was part of the listing. This Web Index also contained information about foreign residents, non-Indians, and healthcare workers, and wasn’t protected with a password. Researchers believe that although the directory listing hasn’t impacted UP’s surveillance system directly, it certainly has “severely compromised the safety of the millions of people listed in the CSV files, whose data probably originated from the surveillance platform and other sources.” The researchers reported the Indian government and the UP cyber-crime department, which didn’t respond. The government shared its findings with the country’s Computer Emergency Response Team CERT-IN on August 27th. VPNMentor’s team again contacted CERT-IN on September 7th and forced the organization to fix the issue. Finally, it was fixed by September 10th. There’s no evidence that a hacker misused the exposed data, but researchers believe that the impact of the vulnerabilities in the surveillance tool could be far-reaching. “Such malicious actions would have many real-world consequences on the effectiveness of Uttar Pradesh’s response and action against coronavirus, potentially causing extreme disruption and chaos,” the researchers noted. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- India’s COVID-19 surveillance tool exposed millions of user data Destry Winant (Sep 24)