Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Medicine Privacy Security

Indian State Government Website Exposed COVID-19 Lab Test Results (techcrunch.com) 25

A security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test. TechCrunch reports: The website is part of the West Bengal government's mass coronavirus testing program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to its website containing their test results. But security researcher Sourajeet Majumder found that the link containing the patient's unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser's address bar and view other patients' test results.

The test results contain the patient's name, sex, age, postal address and if the patient's lab test result came back positive, negative or inconclusive for COVID-19. Majumder told TechCrunch that he was concerned a malicious attacker could scrape the site and sell the data. "This is a privacy violation if somebody else gets access to my private information," he said. Majumder reported the vulnerability to India's CERT, the country's dedicated cybersecurity response unit, which acknowledged the issue in an email. He also contacted the West Bengal government's website manager, who did not respond. TechCrunch independently confirmed the vulnerability and also reached out to the West Bengal government, which pulled the website offline, but did not return our requests for comment.

This discussion has been archived. No new comments can be posted.

Indian State Government Website Exposed COVID-19 Lab Test Results

Comments Filter:
  • India with roughly 3 times the population of the United States has less than 1/3 the number of deaths from covid-19 (158k vx 520k). And they're almost right next to China. Perplexing.
    • Re:Could be worse (Score:4, Insightful)

      by bazmail ( 764941 ) on Friday March 05, 2021 @05:52AM (#61126382)

      I'm a patriot, there is nothing I wouldn't do for the stars and stripes. Ol' glory, 4th of July etc. etc.

      Also

      Me wear a mask??? But muh FREEDOMZ wahhhh!

    • India with roughly 3 times the population of the United States has less than 1/3 the number of deaths from covid-19 (158k vx 520k). And they're almost right next to China. Perplexing.

      FTFY:

      >India with roughly 3 times the population of the United States has less than 1/3 the reported number of deaths from covid-19 (158k vx 520k)

      India is closer to more like 4 times the current US population.

    • by Ecuador ( 740021 )

      Well, you have to look at all the stats. Despite having over 4 times the US population, India per capita testing has been abysmal. I mean the've done a bit less than half of the tests the US has done in total. Also, their death/verified case ratio is better than the US (1.4% vs 1.8%). OK, the US death rate is worse than other western nations, but still India is not know for its healthcare system in general. All this tells me that deaths and cases are vastly underreported in India. I mean you need to test to

    • India with roughly 3 times the population of the United States has less than 1/3 the number of deaths from covid-19 (158k vx 520k).

      America really did stuff up that badly.

      And they're almost right next to China.

      Yea, Almost... [google.com] rolls eyes

    • by tomhath ( 637240 )
      Yes, comparing healthcare statistics across countries is pointless because all you're comparing is *reported* data.
  • by Whibla ( 210729 ) on Friday March 05, 2021 @06:52AM (#61126454)

    Ok, so the summary and article state that "Sourajeet Majumder found that the link containing the patient’s unique test identification number was scrambled with base64 encoding", but then goes on to say "the identification numbers were incrementally sequenced, [so] the website bug meant that anyone could change that number in their browser’s address bar and view other patients’ test results."

    Unless I'm missing something (or the article has been severely 'dumbed down'), the problem isn't that the encoding method is trivial, hence insecure, the problem is that there's nothing to stop any unauthenticated user from accessing any or all pages on the site. And this holds true regardless of whether the id numbers were incremental, successive sequences within Pi, or completely random.

    How many more times are IT professionals (not to mention IT journalists) going to conflate encryption with authentication? *Sigh*

    • by dissy ( 172727 )

      Unless I'm missing something (or the article has been severely 'dumbed down'), the problem isn't that the encoding method is trivial, hence insecure, the problem is that there's nothing to stop any unauthenticated user from accessing any or all pages on the site. And this holds true regardless of whether the id numbers were incremental, successive sequences within Pi, or completely random.

      A unique value, randomly selected from a large enough pool of potential values, is actually a form of authentication.
      It would be called an "assigned shared secret"

      For example if the value was a 64 bit number, and only a few million random-ish selected numbers are valid, that would serve to authenticate the bearer of that ID.
      At least as far as any assigned shared secret does.

      But in this case the values were sequential and thus chosen from a much smaller pool of potential values (a pool size equal to the numb

  • There's more than one Indian state

    Otherwise you're talking about their national government

  • the link containing the patient's unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser's address bar and view other patients' test results.

    I made a website for my book club. The first page I made was the password reset request page, and then I made the password reset page. The reset page allowed a pers

    • How can people keep making web sites with these stupidly obvious flaws? The slightest amount of reading will tell you not to do this.

      People keep making these mistakes because they don't know any better. They don't know any better because none of the universities or MOOCs teach anything about security, taint, or protecting PII.

      If you follow the any of the sql-related tags on StackOverflow you'll see dozens of developers every single day posting code in their questions asking "why doesn't this work?" and pro

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...