A COVID-19 surveillance tool in the Indian state Uttar Pradesh inadvertently exposed the personal information of over eight million people. According to vpnMentor’s researchers, the software named “Surveillance Platform Uttar Pradesh COVID-19” was compromised due to vulnerabilities within the platform; however, it is now secure after the issue was reported to the authorities.
The researchers found multiple flaws and lack of basic security protocols in the platform’s infrastructure. There were three significant vulnerabilities, which include:
- An unsecured git repository revealing technical information, including passwords to admin accounts on the platform and a SQL data dump.
- Access to the platform’s admin dashboard to anyone with the passwords taken from the git repository.
- A separate index of CSV files containing daily COVID-19 patient reports – accessible without a password or any other login credentials.
In addition, the researchers also highlighted that the platform’s developers wrongly deployed an unsecured git repository in the source code, database data dumps, passwords, and endpoints. They further left the git repository without password protection, making it accessible for anyone without any login credentials.
“The passwords were listed on the file twice: a hashed version using plain MD5 (without salt), which can be easily cracked using a dictionary, and a plain text version stored side-by-side on a separate column. By having a plain text version of each password, the already weak hashed version was made void and useless. It also appears that no security audits were undertaken on the git repository to review who had access to the data, and to implement robust security protocols, despite numerous parties spread throughout Uttar Pradesh using the surveillance platform to upload data,” vpnMentor said.
Threat to Massive Medical Data
Using malicious vulnerabilities, hackers can take over the platform and can make changes like modifying entries, closing case files, altering patients’ data, modifying test results, sending healthy people to quarantine, removing patients from quarantine early, switching negative test results to positive, and vice versa.
The incident exposed personally identifiable information (PII) of individuals, including admin usernames and passwords, full names, ages, genders, residence addresses, phone numbers, Case IDs, diagnosis, and other medical records.