The Uttar Pradesh government’s internal Covid-19 tracking site has been reported to have had “multiple bugs”, which seemingly exposed private data of over 8 million users in the public domain. Security researchers Noam Rotem and Ran Locar, on behalf of vpnMentor, reportedly made this discovery about ‘Surveillance Platform Uttar Pradesh Covid-19’, the official internal coronavirus tracking platform used by the UP state government. After the report was raised with CERT-In, India’s emergency cyber threat response department, the bugs are said to have been patched, and the data in question is no longer vulnerable to being found by malicious threat actors.
According to a report by The Next Web, Rotem and Locar detected the breach on August 1 and verified it by August 9. Subsequently, they attempted to contact authorities in the UP government and raised it with CERT-In. The bugs were patched on September 10. The report also states that there is no clear indication if this vulnerability was exploited by any cyber attacker in the duration of it being exposed in the public domain.
The report affirms that the flaws included a vulnerable code repository that also included key login credentials of administrator accounts with access to the information database. “Attackers could have taken control of the dashboard, manipulating case statuses or modifying patient data,” the report added. This comes at a time when the Indian government has affirmed that it is ramping up its cyber security protocols, in light of China's geopolitically incentivised cyber espionage activities in India's cyberspace.
Other flaws in this system also included a vulnerable database that contained user data of people outside Uttar Pradesh as well. The data is said to be personally identifiable in nature, and reportedly included details such as names, addresses, tracking dates, test results and phone numbers of over 8 million people. Following the ethical disclosure attempts undertaken by the security researchers in partnership with The Next Web, the flaws are now said to be patched.