Indian State Government Website Exposed COVID-19 Lab Test Results

A security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test. TechCrunch reports: The website is part of the West Bengal government's mass coronavirus testing program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to its website containing their test results. But security researcher Sourajeet Majumder found that the link containing the patient's unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser's address bar and view other patients' test results.

The test results contain the patient's name, sex, age, postal address and if the patient's lab test result came back positive, negative or inconclusive for COVID-19. Majumder told TechCrunch that he was concerned a malicious attacker could scrape the site and sell the data. "This is a privacy violation if somebody else gets access to my private information," he said. Majumder reported the vulnerability to India's CERT, the country's dedicated cybersecurity response unit, which acknowledged the issue in an email. He also contacted the West Bengal government's website manager, who did not respond. TechCrunch independently confirmed the vulnerability and also reached out to the West Bengal government, which pulled the website offline, but did not return our requests for comment.

Could be worse

[boudie2]

India with roughly 3 times the population of the United States has less than 1/3 the number of deaths from covid-19 (158k vx 520k). And they're almost right next to China. Perplexing.

Re:Could be worse

[bazmail]

I'm a patriot, there is nothing I wouldn't do for the stars and stripes. Ol' glory, 4th of July etc. etc.

Also

Me wear a mask??? But muh FREEDOMZ wahhhh!

Re:

[bobstreo]

India with roughly 3 times the population of the United States has less than 1/3 the number of deaths from covid-19 (158k vx 520k). And they're almost right next to China. Perplexing.

FTFY:

>India with roughly 3 times the population of the United States has less than 1/3 the reported number of deaths from covid-19 (158k vx 520k)

India is closer to more like 4 times the current US population.

Re:

[Ecuador]

Well, you have to look at all the stats. Despite having over 4 times the US population, India per capita testing has been abysmal. I mean the've done a bit less than half of the tests the US has done in total. Also, their death/verified case ratio is better than the US (1.4% vs 1.8%). OK, the US death rate is worse than other western nations, but still India is not know for its healthcare system in general. All this tells me that deaths and cases are vastly underreported in India. I mean you need to test to

Re:

[junglee_iitk]

The deaths and cases may be vastly underestimated but still India is know for its healthcare system in general. If you don't know that it is really your lack of knowledge.

Re:

[Ecuador]

I mean, it just from what I read. Even trying a quick google and on the first page of the results for "India healthcare" (so not my own particular choice of sources, just random) I read that India has an abysmal record in public health. It presently spends a little over 1% of GDP on public healthcare, one of the lowest levels in the world. [bbc.co.uk] or that India has only half the number of doctors required to meet the World Health Organization standard of one doctor for every 1,000 people [ft.com] or India’s public hea [telegraph.co.uk]

Re:

[junglee_iitk]

You do lack knowledge. That is why you are being an arrogant prick. You are, in fact, a moron who things Googling will be effective in acquiring knowledge as if it is some coding challenge. India is not a socialist utopia and not a developed country. It is not going to become Sweden in the next 100 years either.

I, on the other hand, have a minor degree in sociology specializing in population. India's population at the beginning of its' independence from the British was 350 million. It is now 1.35 billion be

Re:

[nashv]

India has a poor public health system, but the majority of the population - the upper and middle class is serviced by the *private* health system, which is quite affordable. Anyone with an income of more than Rs. 100,000 per month (which is basically about 500 million people about 500 million people [quoracdn.net] ) would have never even seen a public health facility from the inside.

The private health system in India is comparable to, and often exceeds the public health system in Western countries.

Re:

[nashv]

Because if you add it all up, it doesn't get to 1.35 billion. There is a very large informal (untaxed/-able) sector that we have no data from. But it is obvious that the untaxed/-able sector is not all poor.

Re:

[Admiral Krunch]

India with roughly 3 times the population of the United States has less than 1/3 the number of deaths from covid-19 (158k vx 520k).

America really did stuff up that badly.

And they're almost right next to China.

Yea, Almost... [google.com] rolls eyes

Re:

[boudie2]

Well, if you count Tibet as part of China. Free Tibet!

Re:

[tomhath]

Yes, comparing healthcare statistics across countries is pointless because all you're comparing is *reported* data.

Encoding method?

[Whibla]

Ok, so the summary and article state that "Sourajeet Majumder found that the link containing the patient’s unique test identification number was scrambled with base64 encoding", but then goes on to say "the identification numbers were incrementally sequenced, [so] the website bug meant that anyone could change that number in their browser’s address bar and view other patients’ test results."

Unless I'm missing something (or the article has been severely 'dumbed down'), the problem isn't that the encoding method is trivial, hence insecure, the problem is that there's nothing to stop any unauthenticated user from accessing any or all pages on the site. And this holds true regardless of whether the id numbers were incremental, successive sequences within Pi, or completely random.

How many more times are IT professionals (not to mention IT journalists) going to conflate encryption with authentication? *Sigh*

Re:

[dissy]

Unless I'm missing something (or the article has been severely 'dumbed down'), the problem isn't that the encoding method is trivial, hence insecure, the problem is that there's nothing to stop any unauthenticated user from accessing any or all pages on the site. And this holds true regardless of whether the id numbers were incremental, successive sequences within Pi, or completely random.

A unique value, randomly selected from a large enough pool of potential values, is actually a form of authentication.
It would be called an "assigned shared secret"

For example if the value was a 64 bit number, and only a few million random-ish selected numbers are valid, that would serve to authenticate the bearer of that ID.
At least as far as any assigned shared secret does.

But in this case the values were sequential and thus chosen from a much smaller pool of potential values (a pool size equal to the numb

"State's Government"

[drinkypoo]

There's more than one Indian state

Otherwise you're talking about their national government

We've known this for years

[imidan]

the link containing the patient's unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser's address bar and view other patients' test results.

I made a website for my book club. The first page I made was the password reset request page, and then I made the password reset page. The reset page allowed a pers

Re:

[scdeimos]

How can people keep making web sites with these stupidly obvious flaws? The slightest amount of reading will tell you not to do this.

People keep making these mistakes because they don't know any better. They don't know any better because none of the universities or MOOCs teach anything about security, taint, or protecting PII.

If you follow the any of the sql-related tags on StackOverflow you'll see dozens of developers every single day posting code in their questions asking "why doesn't this work?" and pro