According to a report, a COVID-19 surveillance tool apparently established by the Uttar Pradesh state government puts the data of 800,000 citizens at risk. The tool was found to have many vulnerabilities, all of which exposed personally identifiable information data, including the full name, age, gender, resident address and phone number of everyone who had been tested for COVID-19 in the country’s largest state and other regions. According to the researchers. The data breach was secured on September 10-a month after it was first discovered.
Researchers from VPN service provider VPNMentor noticed the data leak on August 1 through a tool called “Uttar Pradesh Surveillance Platform COVID-19.” The researchers pointed out the safety in a blog post.
The first vulnerability was discovered in an insecure git repository that contained a “data dump” of stored login credentials, which included the username and password of an administrator account on the platform. Based on the initial findings, VPNMentor analysts Noam Rotem and Ran Locar discovered a public web index containing a directory listing of CSV files. These documents list all known COVID-19 test cases in Uttar Pradesh and other parts of India, involving more than 8 million people. It contains data such as full name, address and phone number, as well as personal test results.
The web index also includes data for non-Indian citizens and foreign residents. In addition, according to findings, there are also lists that contain information about many medical staff.
The researchers mentioned in the blog post that the Web index can be accessed without any password and is completely open to the public.
The researcher said: “Although the directory listing did not directly affect the surveillance platform in Uttar Pradesh, it severely compromised the safety of millions of people listed in the CSV file. This data may come from surveillance platforms and other sources.”
After collecting detailed information from the findings, the researchers submitted a report to share with the Indian government. The report was forwarded to the country’s computer emergency response team CERT-In on August 27. The team of researchers has also reached the UP cybercrime department, although it did not respond. According to the blog post, on September 7, the researchers contacted CERT-In again and finally helped solve these problems.
The researchers pointed out: “This malicious behavior will have many real-world consequences for Uttar Pradesh’s response to the coronavirus and the effectiveness of its actions, which may lead to extreme destruction and chaos.”
There is no information to indicate whether any public data was destroyed by attackers. However, VPNMentor researchers believe that the impact of the loopholes in surveillance tools may extend far beyond the authorities carrying out COVID-19 relief efforts in Uttar Pradesh.
Should the government explain why Chinese applications are banned? We discussed this on the weekly technical podcast Orbital, you can subscribe via Apple Podcast, Google Podcast or RSS, download the episode, or click the play button below.