A cybersecurity firm, Shadow Map, on 12 August came upon a large chunk of Aarogya Setu’s code (India’s contact tracing app) and back-end components that could compromise the privacy of more than 150 million of its users.
As per a Hindustan Times (HT) report, Shadow Map found log-in credentials used by developers of Aarogya Setu, exposed on a government website.
More About the Breach
As per the report, an Aarogya Setu developer seems to have inadvertently uploaded log-in credentials of the contact tracing app that allowed the research team at Shadow Map to gain access to large parts of the code and other key software.
It also mentions that the issue was fixed later after Shadow Map informed the Aarogya Setu team about the vulnerability.
In a now-retracted blog post, the research team at Shadow Map shared details of the vulnerability bundled with screenshots of the source code including the app’s backend structure that was exposed.
How Was the Breach Detected?
The discovery of the log-in credentials was made on GitHub which is a code-sharing platform that developers and programmers use to share their work.
- The discovery was part of a research to scan government websites for publicly accessible data.
- The Aarogya Setu servers had been recently updated as one of the app’s developers accidentally published its root folder in the public webroot.
- Username and password details of the Aarogya Setu GitHub account were available as plain-text.
- Shadow Map gained access to undisclosed data on how Aarogya Setu was designed including “authentication keys” that could enable access to user data.
This vulnerability could prove costly to users on Aarogya Setu’s platform.
“A malicious user that gets access to GitHub or their cloud platforms could easily introduce malware into the app that would then be served to all 150 million users.”Yash Kadakia, Founder, Shadow Map to HT
How Does It Affect Users?
Aarogya Setu is a coronavirus-tracking application that houses data of millions of users. It has been criticised by privacy experts for collecting excessive amounts of data which could expose user’s data to malicious actors.
In this case, if the sensitive information were to land in the hands of a hacker, it could expose the users’ location, health data and contact information.
The Government’s Take?
The Aarogya Setu team has denied any such breach and calls the report by Shadow Map “malicious, nefarious and unsubstantiated”.
Abhishek Singh, CEO of MyGov, who is in charge of the Aarogya Setu project issued a statement assuring that no user data had been exposed and also said that the government would pursue legal action against Security Brigade which is the parent company of Shadow Map.
“We assure users no data was compromised and we will look into this incident in entirety and take action as per the law.”Abhishek Singh, CEO, MyGov
Later, Singh’s statement had been pulled down after Shadow Map decided to delete the blog post.
Also, in a statement by the Ministry of Electronics and IT (MeiTY), it accused Security Brigade of violating its terms of engagement on the Aarogya Setu Project.
“Security Brigade, a CERT-In empanelled agency, was one of the reviewers of Aarogya Setu code and confidential information relating to the code was shared with the firm. In all such reviews and audits, the expectation is that they will conduct the review professionally and will maintain confidentiality. Now publishing an article on issues that they came to know as part of the code review violates the basic principles of ethics and propriety,” MeiTY said.
Security Brigade’s Reply to the Accusation
Security Brigade has rejected all the allegations against it and further reiterated that the report was based on a leak that was found on GitHub.
The company also said that it did not use the key to access the database and a spokesperson said the company was not aware if any hackers had carried out such a breach.
“Aarogya Setu reached out to six organisations and shared their Android source code for review prior to their press conference announcing the bug bounty program. Of course, this Android source code was then made publicly available for all on GitHub and has absolutely nothing to do with the article we have published.”
Shadow Map’s parent also said that the components related to the app were accidentally exposed on GitHub and had nothing to do with the Android source code that was released for review.
It also went on to add that all of the data that’s related with the Aarogya Setu open source project was “responsibly shared with senior members of the NIC, CERT and key stakeholders from the Aarogya Setu team”.
However, Shadow Map added that it did not receive any form of acknowledgement or credit for the find and the issue was silently fixed the next day.