Another human-related error — this time a flaw in a health department website in the State of Bengal, India — has exposed the confidential results of COVID-19 tests as well as personally identifying information (PII) for an entire geographic region’s population.
A teenage ethical hacker discovered a flawed endpoint associated with a health-department website in the Indian State of Bengal, which exposed personally identifiable information related to test results.
Test results related to more than 8m people potentially were exposed before the agency fixed the error, according to a security researcher.
Teenage Ethical Hacker
Sourajeet Majumder, a teenage ethical hacker in India, noticed a flaw in the structure of a URL in a text informing someone of their test result from Bengal health authorities. It included a pathway for finding other people’s test results, according to a report in Bleeping Computer.
The error was traced back to a faulty endpoint at the Health & Family Welfare Department of the State of West Bengal, states the report.
Specifically, the structure of a URL in the text of the message just before providing the test result comprised a base64-encoded report ID number, which a threat player could decode to construct new sets of URLs that would enable access to other test results, Majumder explained.
‘Covid-19 Test Result’
In the case of the example shown in the report, the text “The Covid-19 Test Result of [Name]” was followed by the text “SRF ID 193” before showing the result as “negative.”
Majumder did some investigating & realised that the base64 encoding applied to the numeric identifier was optional, so removing it did not impact the ability to retrieve reports. He commented that by decoding URLs, an attacker could retrieve millions of confidential COVID-19 test results, according to the report.
Each medical record contained information pertaining to the patient’s name, age, gender, partial home address, COVID-19 test result, date of the test, report identifier & even identifying details for the lab where the test was conducted, Majumder said.
Indian Govt. Site
“I have found an issue in an Indian Govt. site which is resulting in the leakage of test reports of EVERYONE who took a COVID-19 test in a particular state,” Majumder outlined. “These reports have sensitive information about the citizens in them, like name, age, date & time of sample testing, residence address, etc.”
A potential hack leading to the ability to view the information would have looked something like this, according to the report:
The researcher said he tried to contact the health dept. about the leak but did not reach them. Majumder also disclosed his finding to a regional newspaper in India, which published a report on Tues. in which a N. Bengal health, Dr., Sushant Roy, accepted the flaw & stated it would be fixed immediately.
It has since been remediated & it is no longer possible to access reports using the enumeration method, says Bleeping Computer.
Data-Leak Accidents Abound
Though there was no intention in this case to leak relevant COVID-19 data, it is not the 1st inadvertent potential exposure of test results or other related sensitive information since the pandemic began.
In Sept., NHS Wales admitted that it accidentally uploaded PII for Welsh residents who tested positive for COVID-19 to a public server that anyone could search, exposing the information of more than 16,000 people. The leak, which was fixed 1 day later, was blamed on “individual human error.”
In Nov., a COVID-19 data-sharing platform used by healthcare workers in the Philippines was found to be exposing healthcare worker data & potentially could have leaked patient data due to multiple system flaws.
Not all the COVID-19-related breaches have been accidental, either, as threat actors have wilfully sought ways to get their hands-on sensitive pandemic-related data with targeted attacks.