A security flaw in a website run by the West Bengal Government in India enabled a hacker to access COVID-19 test results and other personal information of millions of Indian citizens.
The security flaw was identified by Sourajeet Majumder, a 17-year-old security researcher based in India, who said that the link that contained patients’ unique test identification numbers were encoded using the base64 encoding algorithm which can easily be decrypted using online decryption tools. Since the unique test identification numbers were sequenced, it was easy for the researcher to view the COVID-19 test results of multiple patients.
The website belonging to the Health and Welfare Department of the government of West Bengal is a part of its mass coronavirus testing programme which enables citizens to view their COVID-19 test reports once notified by the government.
The leaked data contained name, age, gender, address, date and time of COVID-19 test and the result of the same.
"I have found an issue in an Indian Government site which is resulting in the leakage of test reports of EVERYONE who took a COVID-19 test in a particular state. These reports have sensitive information about the citizens in them like name, age, date and time of sample testing, residence address, etc." Majumder told BleepingComputer.
Soon after discovering the security flaw, Majumder reported the vulnerability to the Indian Computer Emergency Response Team (CERT-In) and received an acknowledgment of the same via email. He also reached out to the IT contacts at West Bengal's Health and Welfare department to report the flaw. Though he did not receive any reply from them, the issue was resolved as the URL that previously leaked the COVID-19 test results now shows a ‘404 (not found) message’.
In a statement, Dr. Sushant Roy, a government-appointed health official overseeing the COVID-19 situation in North Bengal, acknowledged the leak and stated that barring the immediate family members, nobody is notified about a patients’ COVID test report. He was surprised to see how easily these reports were leaked and mentioned that immediate actions would be taken to rectify the issue.
It's still not confirmed if anyone apart from Sourajeet was able to access the test results. Sourajeet even expressed his concern about this data being leaked on the dark web. “As a well-informed ethical hacker or net researcher, I came to know about the matter and brought it to the notice of the state health department,” he told TV9 Bangla, a local news agency.
This is not the first security incident involving the leakage of millions of patients' records. In October last year, Dr. Lal PathLabs, one of India's largest diagnostic firms, stored the personal details of tens of thousands of patients in a public AWS server without protecting the server with a password, thereby enabling anyone to access sensitive patient data.
The unprotected AWS server owned by Dr. Lal PathLabs was discovered by Australian security researcher Sami Toivonen who found hundreds of large spreadsheets in the server. The spreadsheets contained details of millions of individual patient bookings along with personal details like patients' names, addresses, dates of birth, gender, phone numbers, as well as the tests they were taking. Some bookings also included whether a patient had tested positive for COVID-19.
Commencing on the leak of millions of patients’ COVID-19 test results in India, Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group, said that like most software, the vulnerable application was probably built as quickly as possible with functionality being its only goal.
“We will stop seeing these kinds of headlines only when development teams include security at every phase of development. In this case, about ten minutes of threat modeling during the application’s design would have made obvious the danger of the scheme for referencing results.
“Designing a better access system would have added perhaps an hour or two to the development cycle. Like brushing your teeth or eating your vegetables, security needs to be a consistent habit with application development teams.
“For development teams, security is a habit that produces long-term positive results. Citizens whose information has been exposed are advised to be wary of unsolicited emails or telephone calls that might include information such as address, age, and other personal details," he added.