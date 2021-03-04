



A security flaw in a website operated by the Government of West Bengal in India has revealed the results of at least hundreds of thousands of residents, if not millions, who have been tested for COVID-19.

This website is part of the West Bengal Government’s Mass Coronavirus Testing Program. When the COVID-19 test results are ready, the government will send a text message to the patient with a link to a website containing the test results.

However, security researcher Sourajeet Majumder found that the link containing the patient’s unique test identification number was scrambled in base64 encoding, which can be easily converted using online tools. Because the identification numbers were ordered in stages, a bug in the website allowed anyone to change the number in the address bar of their browser to view the test results of other patients.

Test results include the patient’s name, gender, age, address, and whether the patient’s lab test results returned positive, negative, or uncertain for COVID-19.

Majumder told TechCrunch that he was concerned that a malicious attacker could scrape the site and sell the data. “If someone else accesses my personal information, this is a privacy breach,” he said.

Results of two COVID-19 lab tests. However, the details have been edited to show what kind of data is being published.

Two edited COVID-19 lab test results published as a result of a security vulnerability in the West Bengal government website. (Screenshot: TechCrunch)

Majumder reported the vulnerability to CERT in India, India’s dedicated cybersecurity response unit, and acknowledged the problem by email. He also contacted the West Bengal government’s website manager, but did not respond. TechCrunch independently identified the vulnerability, contacted the West Bengal government and took the website offline, but did not receive a comment request.

TechCrunch retained the report until the vulnerability was fixed or the risk was gone. At the time of publication, the affected website remains offline.

The story continues

The exact number of published COVID-19 lab results is unknown, either because of this security breach or because someone other than Majumder discovered the vulnerability. By the time the website went offline at the end of February, the state government had tested more than 8.5 million residents for COVID-19.

West Bengal is one of India’s most populous states, with approximately 90 million inhabitants. Since the outbreak of the pandemic, the state government has recorded more than 10,000 deaths from the coronavirus.

This is the latest in several security incidents that have hit India in the last few months and is a response to the coronavirus pandemic.

In May last year, India’s largest cell network, Jio, admitted that security had revoked after finding a database containing its coronavirus symptom checker, which security researchers launched a few months ago.

In October, security researchers said Dr. Lal PathLabs left hundreds of spreadsheets containing millions of patient appointment records, including the COVID-19 test on a password-protected public storage server, and anyone. We have discovered that we have access to sensitive patient data.

Securely send hints to + 1646-755-8849 via Signal and WhatsApp. You can also use SecureDrop to send files and documents.

