The researchers found that there were several vulnerabilities that could jeopardize the platform virus monitoring. However, what ultimately led to the breach was the lack of security measures.
VPNmentor researchers note that the Uttar Pradesh regional government developed the tool as part of a large-scale mapping project. Its primary purpose was to detect and detect coronavirus patients throughout India and the lack of "data security protocols left access to the platform open", revealing the data of millions in India.
Investigators they claim that the COVID-19 detection tool contained many vulnerabilities, which exposed users' personal data. Exposed data includes the full names, gender, age, home address and contact numbers of all people who have tried the tool.
The data was secured one month after the violation was discovered. According to VPNMentor analysts, Ran Locar and Noam Rotem, the first vulnerability was found in an unsecured and unencrypted git repository, which included usernames, administrator accounts, and passwords stored on the platform.
Based on this discovery, the researchers found an exhibit Web Index, which contained a list of CSV file directories. It contained information on all known COVID-19 cases in the UP and other locations in India.
Sensitive private data, including the full name, telephone numbers, addresses and test results of some 8 million citizens, was part of the list. The list also contained information about foreign residents and health care workers and was not password protected.
There is no evidence that any malicious agent used the exposed data for fraud, but researchers believe that the impact of vulnerabilities on the monitoring tool could be widespread.