Captcha Breach: How Techies Are Gaming the System for Vaccine Slot

Techies are building codes on the application programming interface for CoWIN – just to book a vaccine slot.

4 min read
Hindi Female

Suresh (name changed) made multiple attempts to book a vaccination slot on CoWIN, but to no avail.

"So many people were using automations to book their slots. I realised that I wouldn't stand a chance if I were to book a slot manually," he said.

Exasperated, Suresh took it upon himself to find a hack.

He started working on programs that not only searches for slots using the Application Program Interfaces (APIs) of CoWIN, but also for booking the slot.

Amid vaccine shortage and gaping digital divide in India, scores of techies are gaming the system by writing codes on CoWIN’s application programming interface. This, they say, is the only way to find a slot for vaccines.

However, when RS Sharma, Chairman of CoWIN was informed by MoneyControl about the use of coding to booking vaccines, he denied any knowledge of it.

A day later, the central government introduced captcha – a verification tool which was supposed to end the automated booking of vaccines.

Nonetheless, programmers have already found a way to even ‘bypass the captcha’ and book slots ahead of other users who are still using CoWIN to book slots.

How Does it Work?

Techies are building codes on the application programming interface for CoWIN – just to book a vaccine slot.

Cowin4all is a python script being used for automated slot booking.

(Photo: Github/ Accessed by The Quint)

Below are the steps followed when a slot is booked via CoWIN.

  1. A user visits the CoWIN website
  2. Enters their mobile number by clicking on 'Sign In'
  3. CoWIN sends OTP to the user
  4. The user then enters the OTP and logs into the web application
  5. The user keeps on searching for the next available slot online for a given pin code or a given district in a state
  6. Once a slot is available, user schedules appointment for a beneficiary.
  7. User is asked to enter a captcha
  8. The slot is then booked
  9. Follow step 5 to 8, in case booking needs to be done for other beneficiaries
  10. In due course , if the session expires, the user has to start again from step 2 and re-login to the site
Step 4, Step 5, Step 7, Step 9 require registered users to wait and provide the input. This is where software developers are using automation scripts to escape the wait.

In order to automate Step 4, these scripts need to have some setting in our mobile which can forward the OTP soon as it receives. Let's call it OTP Forwarder.

There are many types of apps which can forward an SMS to an external site. Any of these apps can be used as an OTP forwarder in automation scripts. These scripts also automate captcha input with 100% success rate.


Bypassing Captcha

The Quint could verify at least 2 automation scripts which could book the vaccine without asking for a captcha.

  • 01/02

    Python script used for automated vaccination booking.

    (Photo Courtesy: The Quint)

  • 02/02

    Cowin4all, a script which books vaccine automatically, bypassing captcha.

    (Photo Courtesy: The Quint)

A developer on condition of anonymity explained that the captcha CoWIN provides is in an SVG format which can be directly analysed based on just identifying the patterns of the paths for rendering the captcha.

"This defies the basic purpose of having captcha in the first place which is to differentiate humans from bots. Stronger and novel the captcha , better the prevention of bots. One can use something like Google's reCaptcha to have a better chance at stopping bots. This would not totally solve the problem, because there are ways to crack it, but at the least it will cut down good dozen of bots from hitting the site," he added.

Get a Slot Booked For Rs 1000

Techies are building codes on the application programming interface for CoWIN – just to book a vaccine slot.

Screenshot of a Telegram group asking money for booking vaccines.

(Photo Courtesy: The Quint)

The Quint found a few groups on Telegram which charge Rs 1000 to book a slot across the country.

These channels ask for your Aadhaar details along with your phone number. Using automated scripts, these individuals can get you a slot booked within few minutes across the country.

After the vaccination slot is booked, the hackers seek a fee of Rs 1000.

Cyber security researcher Sourajeet Majumder told The Quint that users must prevent themselves from buying COVID-19 vaccination slots at all since it is unethical in the very first place and risky too.

"The person promising you a vaccination slot might dupe you out of your money. Also, many of them ask for details like phone number, address and Aadhaar Card, which one shouldn't share since it can be misused to carry out scams, frauds and might also lead to identity theft", he added.

“Individuals who are charging money to book slots must be reported and booked by the police and put behind bars. It is a cruel idea to make money from the fight against a pandemic such illicit methods.”
Satya Muley, Advocate, Bombay High Court

Big Question: Is Scripting Legal?

Booking slots for vaccination through bots implies going against the government-approved process.

Such an act by any individual gets classified as a criminal act since it involves unauthorised attack on and use of the government-approved system, believes Satya Muley, an advocate at the Bombay High Court.

Muley said that scripting involves unauthorised reading of captcha codes to cheat the system with a dishonest intention of wrongful personal gain. "Automated reading of captcha code saves time and leads to automated slot booking. Such an act is a cybercrime," he said.

Apart from being a cybercrime, it is also exclusionary and an illegal act against the society at large as members of public are deprived of slots due to the use of bots by some tech savvy criminals.

"For such computer-related offences, S. 43 & S 66 of the IT Act 2000, has prescribed a punishment of up to 3 years imprisonment or a fine which may extend to five lakh rupees or both," Muley added.

Debabrata Nayak, Additional Director, national e-governance division, told The Quint that CoWIN is taking all security measures to reduce the automated booking of slots. "These bots claim to book vaccines automatically. However, we have placed all measures starting from rate limiting to blocking of such requests," he added.

The Quint raised the query with RS Sharma the same day CoWIN server stopped its 'captcha' verification system.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Read Latest News and Breaking News at The Quint, browse for more from cyber

Topics:  CoWIN challenge   CoWIN   CoWin App 

Speaking truth to power requires allies like you.
Become a Member
3 months
12 months
12 months
Check Member Benefits
Read More