A security breach in a website run by the government of West Bengal in India, exposed the lab results of at least hundreds of thousands of residents, though likely millions, who have been tested for COVID-19.
The website is part of the West Bengal government’s mass coronavirus screening program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to their website with their test results.
But security researcher Sourajeet Majumder found that the link containing the patient’s unique test ID number was scrambled with a base64 encoding, which can be easily converted using online tools. Since ID numbers were sequenced incrementally, the website bug meant that anyone could change this number in their browser’s address bar and view the test results of other patients.
The test results contain the patient’s name, gender, age, mailing address, and whether the patient’s lab test result returned positive, negative, or inconclusive for COVID-19.
Majumder told TechCrunch he was concerned that a malicious attacker could scuff the site and sell the data. “It’s a breach of privacy if someone else has access to my private information,” he said.
Two redacted COVID-19 lab test results exposed following a security breach on the West Bengal government website. (Screen capture: TechCrunch)
Majumder reported the vulnerability to India’s CERT, the country’s dedicated cybersecurity response unit, which acknowledged the issue in an email. He also contacted the official for the West Bengal government website, who did not respond. TechCrunch independently confirmed the vulnerability and also contacted the West Bengal government, which took the website offline, but did not return our requests for comment.
TechCrunch kept our report until the vulnerability was fixed or no longer at risk. At the time of publication, the affected website remains offline.
It is not known exactly how many COVID-19 lab results were exposed due to this security flaw, or if anyone other than Majumder discovered the vulnerability. By the time the website was taken offline in late February, the state government had tested more than 8.5 million residents for COVID-19.
West Bengal is one of the most populous states in India, with around 90 million people. Since the start of the pandemic, the state government has recorded more than 10,000 coronavirus deaths.
It is the latest of several security incidents in recent months to hit India and its response to the coronavirus pandemic.
Last May, Jio, India’s largest cellular network, admitted to a security breach after a security researcher found a database containing the company’s coronavirus symptom checker, which Jio had launched months ago. earlier.
In October, a security researcher discovered that Dr Lal PathLabs had left hundreds of spreadsheets containing millions of patient reservation records – including for COVID-19 testing – on a public storage server that didn’t was not password protected, allowing anyone to access sensitive patient data.
Send advice securely via Signal and WhatsApp at +1 646-755-8849. You can also send files or documents using SecureDrop.
