Security breach On a website operated by the government of West Bengal, India, the website exposed laboratory results of at least hundreds of thousands (although possibly millions) of residents who had been tested for COVID-19.
The website is part of the West Bengal government’s large-scale coronavirus testing program. Once the COVID-19 test results are prepared, the government will send text messages to patients with a link to their website containing the test results.
However, security researcher Sourajeet Majumder found that the link containing the patient’s unique test identification code was disrupted by base64 encoding and can be easily converted using online tools. Since the identification numbers are arranged in increasing order, the website error means that anyone can change the number in the address bar of their browser and view the test results of other patients.
The test results include the patient’s name, gender, age, mailing address, and whether the patient’s laboratory test results are positive, negative or uncertain for COVID-19.
Majumder told TechCrunch that he was worried that malicious attackers would crawl the site and sell the data. He said: “If other people can access my private information, it would violate privacy.”
Majumder reported the vulnerability to CERT in India (the country’s specialized cybersecurity response agency), which acknowledged the problem in an email. He also contacted the webmaster of the West Bengal government, who did not respond. TechCrunch independently confirmed the vulnerability and contacted the West Bengal government, which took the website offline, but did not respond to our request for comment.
TechCrunch retains our report until the vulnerability has been fixed or there is no longer a risk. At the time of publication, the affected website was still offline.
Due to this security failure, or whether anyone other than Majumder discovered this vulnerability, it is not clear exactly how many COVID-19 laboratory results were exposed. When the website went offline at the end of February, the state government had tested 8.5 million residents for COVID-19.
West Bengal is one of the most populous states in India, with approximately 90 million residents. Since the beginning of the pandemic, the state government has recorded more than 10,000 coronavirus deaths.
These are the latest security incidents in India and its response to the coronavirus pandemic in the past few months.
Last May, India’s largest mobile phone network Jio Admit a security breach After security researchers discovered a database containing the company’s coronavirus symptom checker, Jio launched the checker a few months ago.
In October, a security researcher discovered that Dr. Lal PathLabs left hundreds of Millions of patient appointment records Anyone can access sensitive patient data (including those used for COVID-19 testing) on public storage servers that are not protected by passwords.
Send the reminder securely via Signal and WhatsApp to +1 646-755-8849.You can also use the following methods to send files or documents Safety drop.
to request modification Contact us at Here or [email protected]