Indian state government website exposed COVID-19 lab test results – TechCrunch

A security flaw A website run by the government of West Bengal in India revealed the laboratory results of at least hundreds of residents, although millions of people who tested COVID-19.

The website is part of the collective coronavirus testing program of the Government of West Bengal. Once the COVID-19 test result is ready, the government sends the patient a text message with a link containing their test result.

But security researcher Saurajit Mazumdar found that the link containing the patient’s unique test identification number was washed with the base 64 encoding, which can be easily replaced using online tools. Because the identification numbers were sequentially indexed, the website bug meant that anyone could change that number in their browser’s address bar and view other patients’ test results.

The test result includes the patient’s name, gender, age, postal address, and if the patient’s laboratory test result is positive, negative, or inconclusive for COVID-19.

Mazumdar told TechCrunch that he was worried that a malicious attacker could scrape the site and sell data. “It’s a privacy violation if someone else gets access to my personal information,” he said.

Results of two COVID-19 laboratory tests, but with details, to show what kind of data has been uncovered.

Two COVID-19 laboratory test results revealed as a result of a security vulnerability on the West Bengal government website. (Screenshot: TechCrunch)

Mazumdar reported the vulnerability to India’s CERT, India’s dedicated cyber security response unit, which acknowledged the issue in an email. He also contacted the website manager of the West Bengal government, who did not respond. TechCrunch independently confirmed the vulnerability and also reached out to the West Bengal government, which pulled the website offline, but did not return our requests for comment.

TechCrunch conducted our report until the vulnerability was fixed or no risk was presented. At the time of publication, the affected website remains offline.

It is not known exactly how many COVID-19 laboratory results were revealed as a result of this security lapse, or if the vulnerability was discovered by anyone other than Majumdar. At the time the website was pulled offline in late February, the state government tested more than 8.5 million residents for COVID-19.

West Bengal is one of the most populous states of India with around 90 million inhabitants. Since the onset of the epidemic, the state government has recorded more than 10,000 coronovirus deaths.

This is the latest of several security incidents to hit India in the last few months and a response to the coronavirus epidemic.

Last May, India’s largest cell network Jio Admitted a security lapse A database after a security researcher found the company’s coronavirus symptom tester, which Jio had launched months earlier.

In October, a security researcher discovered that Dr. Lal Pathlabs had left hundreds of spreadsheets. Millions of patient booking records – For COVID-19 tests – on a public storage server that was not password protected, allowing anyone to access sensitive patient data.


Send suggestions safely to +1 646-755-8849 on Signal and WhatsApp. You can also send files or documents using Securedrop.