Millions Exposed in COVID19 Surveillance Platform Snafu
In India, eight million patients had their personal and medical details compromised after multiple vulnerabilities were discovered within a COVID-19 surveillance system run by the government, called the Surveillance Platform Uttar Pradesh Covid-19. The software bugs were first found by vpnMentor researchers while conducting a routine web scan in early August. The researchers then contacted the cybercrime department of the Uttar Pradesh government, however, the issue was not remediated until September 10.
The vulnerabilities uncovered within the contact tracing platform include an unsecured git repository containing platform code and plain text admin credentials, as well as an index of CSV files containing reports on COVID-19 patients, accessible without a password. Data exposed included full names, addresses, diagnoses, symptoms, medical records, and phone numbers. Researchers also stated that the passwords in the git repository were listed twice, once in unsalted MD5 hashes, which are easy to crack. The significant vulnerabilities could have allowed a threat actor to take complete control of the admin dashboard of the surveillance platform.