advertisement
A cybersecurity firm, Shadow Map, on 12 August came upon a large chunk of Aarogya Setu’s code (India’s contact tracing app) and back-end components that could compromise the privacy of more than 150 million of its users.
As per a Hindustan Times (HT) report, Shadow Map found log-in credentials used by developers of Aarogya Setu, exposed on a government website.
As per the report, an Aarogya Setu developer seems to have inadvertently uploaded log-in credentials of the contact tracing app that allowed the research team at Shadow Map to gain access to large parts of the code and other key software.
It also mentions that the issue was fixed later after Shadow Map informed the Aarogya Setu team about the vulnerability.
In a now-retracted blog post, the research team at Shadow Map shared details of the vulnerability bundled with screenshots of the source code including the app’s backend structure that was exposed.
The discovery of the log-in credentials was made on GitHub which is a code-sharing platform that developers and programmers use to share their work.
This vulnerability could prove costly to users on Aarogya Setu’s platform.
Aarogya Setu is a coronavirus-tracking application that houses data of millions of users. It has been criticised by privacy experts for collecting excessive amounts of data which could expose user’s data to malicious actors.
In this case, if the sensitive information were to land in the hands of a hacker, it could expose the users’ location, health data and contact information.
The Aarogya Setu team has denied any such breach and calls the report by Shadow Map “malicious, nefarious and unsubstantiated”.
Abhishek Singh, CEO of MyGov, who is in charge of the Aarogya Setu project issued a statement assuring that no user data had been exposed and also said that the government would pursue legal action against Security Brigade which is the parent company of Shadow Map.
Later, Singh’s statement had been pulled down after Shadow Map decided to delete the blog post.
Also, in a statement by the Ministry of Electronics and IT (MeiTY), it accused Security Brigade of violating its terms of engagement on the Aarogya Setu Project.
Security Brigade has rejected all the allegations against it and further reiterated that the report was based on a leak that was found on GitHub.
The company also said that it did not use the key to access the database and a spokesperson said the company was not aware if any hackers had carried out such a breach.
Shadow Map’s parent also said that the components related to the app were accidentally exposed on GitHub and had nothing to do with the Android source code that was released for review.
It also went on to add that all of the data that’s related with the Aarogya Setu open source project was “responsibly shared with senior members of the NIC, CERT and key stakeholders from the Aarogya Setu team”.
However, Shadow Map added that it did not receive any form of acknowledgement or credit for the find and the issue was silently fixed the next day.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)