Captcha Breach: How Techies Are Gaming the System for Vaccine Slot

Suresh (name changed) made multiple attempts to book a vaccination slot on CoWIN, but to no avail.

"So many people were using automations to book their slots. I realised that I wouldn't stand a chance if I were to book a slot manually," he said.

Exasperated, Suresh took it upon himself to find a hack.

He started working on programs that not only searches for slots using the Application Program Interfaces (APIs) of CoWIN, but also for booking the slot.

However, when RS Sharma, Chairman of CoWIN was informed by MoneyControl about the use of coding to booking vaccines, he denied any knowledge of it.

A day later, the central government introduced captcha – a verification tool which was supposed to end the automated booking of vaccines.

How Does it Work?

Below are the steps followed when a slot is booked via CoWIN.

1. A user visits the CoWIN website
2. Enters their mobile number by clicking on 'Sign In'
3. CoWIN sends OTP to the user
4. The user then enters the OTP and logs into the web application
5. The user keeps on searching for the next available slot online for a given pin code or a given district in a state
6. Once a slot is available, user schedules appointment for a beneficiary.
7. User is asked to enter a captcha
8. The slot is then booked
9. Follow step 5 to 8, in case booking needs to be done for other beneficiaries
10. In due course , if the session expires, the user has to start again from step 2 and re-login to the site

In order to automate Step 4, these scripts need to have some setting in our mobile which can forward the OTP soon as it receives. Let's call it OTP Forwarder.

There are many types of apps which can forward an SMS to an external site. Any of these apps can be used as an OTP forwarder in automation scripts. These scripts also automate captcha input with 100% success rate.

Bypassing Captcha

The Quint could verify at least 2 automation scripts which could book the vaccine without asking for a captcha.

A developer on condition of anonymity explained that the captcha CoWIN provides is in an SVG format which can be directly analysed based on just identifying the patterns of the paths for rendering the captcha.

"This defies the basic purpose of having captcha in the first place which is to differentiate humans from bots. Stronger and novel the captcha , better the prevention of bots. One can use something like Google's reCaptcha to have a better chance at stopping bots. This would not totally solve the problem, because there are ways to crack it, but at the least it will cut down good dozen of bots from hitting the site," he added.

Get a Slot Booked For Rs 1000

The Quint found a few groups on Telegram which charge Rs 1000 to book a slot across the country.

These channels ask for your Aadhaar details along with your phone number. Using automated scripts, these individuals can get you a slot booked within few minutes across the country.

After the vaccination slot is booked, the hackers seek a fee of Rs 1000.

Cyber security researcher Sourajeet Majumder told The Quint that users must prevent themselves from buying COVID-19 vaccination slots at all since it is unethical in the very first place and risky too.

"The person promising you a vaccination slot might dupe you out of your money. Also, many of them ask for details like phone number, address and Aadhaar Card, which one shouldn't share since it can be misused to carry out scams, frauds and might also lead to identity theft", he added.

Big Question: Is Scripting Legal?

Booking slots for vaccination through bots implies going against the government-approved process.

Such an act by any individual gets classified as a criminal act since it involves unauthorised attack on and use of the government-approved system, believes Satya Muley, an advocate at the Bombay High Court.

Muley said that scripting involves unauthorised reading of captcha codes to cheat the system with a dishonest intention of wrongful personal gain. "Automated reading of captcha code saves time and leads to automated slot booking. Such an act is a cybercrime," he said.

Apart from being a cybercrime, it is also exclusionary and an illegal act against the society at large as members of public are deprived of slots due to the use of bots by some tech savvy criminals.

"For such computer-related offences, S. 43 & S 66 of the IT Act 2000, has prescribed a punishment of up to 3 years imprisonment or a fine which may extend to five lakh rupees or both," Muley added.

Debabrata Nayak, Additional Director, national e-governance division, told The Quint that CoWIN is taking all security measures to reduce the automated booking of slots. "These bots claim to book vaccines automatically. However, we have placed all measures starting from rate limiting to blocking of such requests," he added.

The Quint raised the query with RS Sharma the same day CoWIN server stopped its 'captcha' verification system.