Security issue in Govt’s COVID-19 tracking app puts privacy of 90 million Indians at risk.
We all know about the Aarogya setu app, its an mobile application developed by the Government of India to connect essential health services with the people of India in our combined fight against COVID-19. The App is aimed at augmenting the initiatives of the Government of India, particularly the Department of Health, in proactively reaching out to and informing the users of the app regarding risks.
The Government of India says all is well with the Aarogya Setu app though.
An anonymous French hacker who known by the name of Elliot Alderson on Twitter has discovered a security issue in the Government’s Aarogya Setu COVID-19 tracking app that could potentially put the privacy of 90 million Indians at risk. Being an ethical hacker, Alderson has “flagged” the issue to India’s Computer Emergency Response Team (CERT) and the National Informatics Centre (NIC) that falls under the Ministry of Electronics and Information Technology. Alderson is notably the same hacker who had earlier exposed issues in the Government of India’s mAadhar app for Android.
On Tuesday, Alderson took to Twitter to claim that he had discovered a security issue in the Aarogya Setu app and asked the Government to contact him in private, so the hacker could disclose it to the authorities. The Government contacted the hacker soon enough and the issue was disclosed to them. Alderson now awaits a fix for the said issue, failure of which would entail the hacker in disclosing the issue in public, as per the core tenets of ethical “white hat” hacking.
The Government of india has come out with a detailed response to the hacker’s claims in the few hours, last night. But the reason why we say the hacker still awaits a fix, is because in the words of Alderson, the Government basically said “(there’s) nothing to see here.” In other words, all is well with Aarogya Setu, as per the Government of India, even though the hacker appears to have raised not one, but two concerns with the app.
On Wednesday, Alderson published a blog and stated why he thinks the app has security flaws. The two main concerns he points out is that anyone can access the internal database and that anyone can see who is sick anywhere in India, which violates privacy.
he says in his blog that "With only 1 click, an attacker can open any app internal file, including the local database used by the app called fight-covid-db,". He says that he spent less than two hours to figure out the flaws. He found that an activity called WebViewActivity was acting unusually and upon researching found that the activity has no host validation at all. He said he then tried to open an internal file, which opened up easily. He alleges that the flaw was "quietly fixed" by the developers.
you can see the explanation here
"Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighbour is sick for example. Sounds like a privacy issue for me," he added.
Alderson stated that the app is not supposed to tell you the location of corona patients. "The first issue is a security issue and the second is a privacy issue. If you don't care about privacy, fine for you but it's still a privacy issue," he said.
On May 5, Alderson took to social media to tell the Aarogya Setu app that there are security flaws in their platform that puts the data of 90 million Indians at risk. Soon after the tweet, Aarogya Setu took to Twitter to respond to the privacy flaws criticism and stated that no user's data was at risk.
In this article i have mention the detailed view of Aarogya setu and its security issues
Recommended post : Top 5 Free Websites to Learn Hacking/Cyber-Security in 2020
#hacking
#hack facebook account
#facebook hacker
#ethical hacking
#instahax0r
#hack the box
#hack instagram account
#white hat hacker
#black hat hacker
#ethical hacking course
#certified ethical hacker
#ceh certification
#ceh v10
#learn ethical hacking
#learn hacking online
#ethical hacking course fees
4 Comments
good information
ReplyDeleteAgain you have provided solid facts. Looking forward for more such posts related to technology.
ReplyDeleteThis article was so good that I did not skip a single word in this article, I could not know when time had passed while reading this article. I read your article daily and I also share it if I like it. I have written an article on aarogya setu app kya hai after learning from you. Sir/Mam, you always help us by writing articles and it is also our duty to share your articles as much as possible. Sir/Mam, now allow me to go.
ReplyDeleteCheck this superb and comprehensive article on Aarogya Setu App with al important details like color codes, contact tracing etc
ReplyDeleteIf you have any doubt, Please let me know.