- Indian security researcher discovered a misconfiguration issue in Indian COVID-19 data portals leaking PII of 9 Lakh citizens.
- Data from Haryana's COVID websites was exposed, allowing unauthorized access to personal details and test results.
- Authorities have patched the vulnerability, but the leaked data is available on search engines and dark web, posing a risk of exploitation and scams.
Cyber Security Threat: This month, an Indian security researcher has spotted a misconfiguration issue in one of Indiaโs COVID-19 data portals, that leaked the PII of over 9 Lakh citizens!
The easy-to-exploit vulnerability was now patched by the relevant authorities, after being responsibly disclosed. While itโs secured now, the government has not informed the public of this incident yet and is not immediately acting on the public display of concerned URLs. Itโs found that the data was stolen, and is made available for free in several dark web marketplaces.
Leakage of Indiansโ COVID-19 Data
For a long, weโve seen numerous instances of cloud databases leaking senstive data stored in them due to improper configuration. While itโs a shame for the server managers, leaking such databases due to very basic issues is more concerning. And it just happened with Indian authorities, who left personally identifiable data of over 20,000 citizens in wild.
As seen and reported by Sourajeet Majumder, an Indian security researcher, the COVID websites of Haryana โ Covid Sample Report Portal and the Covid-19 Sero Survey Portal โ are tagged as the primary culprits here.
๐งต How a misconfig let anyone view PII of Covid-19 patients and modify data related to Covid-19 sero survey (Of Haryana)
So, the Govt Of Haryana has 2 state projects under the @_DigitalIndia programme called :
1. Covid Sample Report Portal
2. Covid-19 Sero Survey Portal(1/13) pic.twitter.com/9tWpzhsn4g
— Sourajeet Majumder (@TechCrucio) January 13, 2022
However, another Indian security researcher, Rajshekhar Rajaharia, raised the issue on Twitter. As per his statement, he isnโt reporting any Vulnerabilities. He also warned people to stay alert on the lookout for any pre/post Covid19-related fraud calls, offers, or treatment.
PII including Name, MOB, PAN, Address etc of #Covid19 #RTPCR results & #Cowin data getting public through a Govt CDN. #Google indexed almost 9 Lac public/private #GovtDocuments in search engines. Patient's data is now listed on #DarkWeb. Need fast deindex#Infosec @IndianCERT pic.twitter.com/LgQxZZi8T6
— Rajshekhar Rajaharia (@rajaharia) January 19, 2022
The first site is used for storing the COVID-19 testing details uploaded by all COVID-19 laboratories (public or private), for direct monitoring of Haryanaโs Chief Minister. And the second site is for estimating and monitoring the trends of SARS-CoV infectionโs seroprevalence in Haryanaโs high burden cities.
The data of 9 lakh Indian COVID-19 patients has been leaked on a search engine.
Second, there are some publicly accessible Google Indexed CDN pages of Govt. sites where the data can be accessed.
They were said to have basic issues, that leaked the data of thousands of people to anyone with no authorized privileges. According to Majumder, a simple Forced Browsing/Direct URL access attack has led him to access the secured records within, and even modify them as desired!
Explaining further, he said any unauthorized person can visit the website to view a list of all positive patients from Haryana, along with their mobile number, age, gender, residential address, test results, etc. In total, there were over 2,68,126 patients listed in them, with more being updated in real-time.
Apart from accessing, the perpetrator can edit the records too, like changing the test results to positive or negative, deleting records, changing sample IDs, and viewing or adding related lab in-charge. He disclosed this responsibility to the concerned authority on December 14th last year, which triggered the authority to pull down the site for a couple of hours.
Thanking on his report, the authority has not responded to further questions like any traces of exploitation of the vulnerability in wild. Two weeks after, the site was restored with the vulnerability fixed. While itโs secured now, a more concerning part is the Google indexing of these sitesโ URLs in its results.
This can let anyone check the sensitive data thatโs restricted for administrators! Also, weโve found the dump that Majumder stated is now being available for free in one of the popular database forums, letting anyone with basic knowledge of such groups have their hands on it!
