Above 8 million people in India had their personalized and professional medical facts exposed after security scientists found out multiple vulnerabilities in a authorities-operate COVID-19 surveillance method.
The “Surveillance System Uttar Pradesh Covid-19” application was initial found by vpnMentor researchers through a web scan on August 1 2020. Just after getting in touch with CERT-In and the cybercrime department of the Uttar Pradesh authorities, the issues were being eventually remediated on September 10.
The exploration team observed two major problems: an unsecured git repository containing code for the system as very well as plain text admin qualifications and a different index of CSV files that contains day-to-day COVID-19 client studies, which was available without having a password.
Individual knowledge uncovered bundled entire names, addresses, phone quantities, diagnoses, signs and medical data.
Even worse, the passwords in the git repository ended up listed two times, at the time in uncomplicated-to-crack, unsalted MD5 hashes. Most ended up simply just four-digit quantities, generally linked to the very same code as that of the platform’s directors, the report pointed out.
“It seems that no security audits were being undertaken on the git repository to review who had access to the details, and to implement robust security protocols, in spite of several parties spread all over Uttar Pradesh utilizing the surveillance platform to upload info,” claimed vpnMentor.
“As a outcome, any individual with understanding of the platform’s URL and obtain to the git repository could attain complete entry to its admin dashboard. Not only did this expose any data stored therein to possible theft, but, based mostly on extra details stored on the git repository, we think that the moment a hacker had accessibility to the admin dashboard of the surveillance system, they would have complete manage.”
The security snafu hence could have had quite a few unintended outcomes: providing hostile nations an chance to disrupt point out initiatives to tackle the pandemic, as properly as giving a trove of sensitive facts for cyber-criminals to craft follow-on phishing and identity fraud attacks.
Some parts of this article is sourced from: