Cyber Security Threat: This month, an Indian security researcher has spotted a misconfiguration issue in one of India’s COVID-19 data portals, that leaked the PII of over 9 Lakh citizens!
The easy-to-exploit vulnerability was now patched by the relevant authorities, after being responsibly disclosed. While it’s secured now, the government has not informed the public of this incident yet and is not immediately acting on the public display of concerned URLs. It’s found that the data was stolen, and is made available for free in several dark web marketplaces.
Leakage of Indians’ COVID-19 Data
For a long, we’ve seen numerous instances of cloud databases leaking senstive data stored in them due to improper configuration. While it’s a shame for the server managers, leaking such databases due to very basic issues is more concerning. And it just happened with Indian authorities, who left personally identifiable data of over 20,000 citizens in wild.
As seen and reported by Sourajeet Majumder, an Indian security researcher, the COVID websites of Haryana – Covid Sample Report Portal and the Covid-19 Sero Survey Portal – are tagged as the primary culprits here.
🧵 How a misconfig let anyone view PII of Covid-19 patients and modify data related to Covid-19 sero survey (Of Haryana)
So, the Govt Of Haryana has 2 state projects under the @_DigitalIndia programme called :
1. Covid Sample Report Portal
2. Covid-19 Sero Survey Portal
— Sourajeet Majumder (@TechCrucio) January 13, 2022
However, another Indian security researcher, Rajshekhar Rajaharia, raised the issue on Twitter. As per his statement, he isn’t reporting any Vulnerabilities. He also warned people to stay alert on the lookout for any pre/post Covid19-related fraud calls, offers, or treatment.
PII including Name, MOB, PAN, Address etc of #Covid19 #RTPCR results & #Cowin data getting public through a Govt CDN. #Google indexed almost 9 Lac public/private #GovtDocuments in search engines. Patient's data is now listed on #DarkWeb. Need fast deindex#Infosec @IndianCERT pic.twitter.com/LgQxZZi8T6
— Rajshekhar Rajaharia (@rajaharia) January 19, 2022
The first site is used for storing the COVID-19 testing details uploaded by all COVID-19 laboratories (public or private), for direct monitoring of Haryana’s Chief Minister. And the second site is for estimating and monitoring the trends of SARS-CoV infection’s seroprevalence in Haryana’s high burden cities.
The data of 9 lakh Indian COVID-19 patients has been leaked on a search engine.
Second, there are some publicly accessible Google Indexed CDN pages of Govt. sites where the data can be accessed.
They were said to have basic issues, that leaked the data of thousands of people to anyone with no authorized privileges. According to Majumder, a simple Forced Browsing/Direct URL access attack has led him to access the secured records within, and even modify them as desired!
Explaining further, he said any unauthorized person can visit the website to view a list of all positive patients from Haryana, along with their mobile number, age, gender, residential address, test results, etc. In total, there were over 2,68,126 patients listed in them, with more being updated in real-time.
Apart from accessing, the perpetrator can edit the records too, like changing the test results to positive or negative, deleting records, changing sample IDs, and viewing or adding related lab in-charge. He disclosed this responsibility to the concerned authority on December 14th last year, which triggered the authority to pull down the site for a couple of hours.
Thanking on his report, the authority has not responded to further questions like any traces of exploitation of the vulnerability in wild. Two weeks after, the site was restored with the vulnerability fixed. While it’s secured now, a more concerning part is the Google indexing of these sites’ URLs in its results.
This can let anyone check the sensitive data that’s restricted for administrators! Also, we’ve found the dump that Majumder stated is now being available for free in one of the popular database forums, letting anyone with basic knowledge of such groups have their hands on it!