Aarogya Setu vulnerable? Drama over data firm’s contention
FIRM SAID IT ACCESSED THE CODE AND BACKEND INFRA, BEFORE GOVT ISSUED A STRONG STATEMENT. BOTH LATER BACKTRACKED
NEWDELHI: A cyber security firm said on Wednesday that it stumbled upon large parts of the government’s contact tracing app Aarogya Setu’s code and back-end components that could jeopardise the privacy of 150 million users after a government website appeared to have inadvertently uploaded log-in credentials used by the developers, triggering a war of words with the government before both sides retracted their claims. On Wednesday afternoon, threat intelligence firm Shadow Map said in a blog post published on its website that it found the log-in credentials used by developers of Aarogya Setu sitting, possibly by accident, on a government website, allowing them to gain access to large parts of the code and other software infrastructure that, if accessed by hackers, could expose location, contact, and health data of the users.
The blog post refers to events that happened in late June, and added that the issue was fixed a day after Shadow Map pointed it out to the relevant authorities.
In a widely circulated statement on Wednesday evening, the government called the claims “malicious, nefarious and unsubstantiated” and assured users that no data has been compromised due to the alleged vulnerabilities. It also said it would pursue legal action against the company. Shortly after, Shadow Map took down the blog post, and the government retracted its statement.
“We assure users no data was compromised and we will look into this incident in entirety and take action as per the law,” said Abhishek Singh, CEO of Mygov, the government agency spearheading the project. Singh added that the statement was being retracted since the blog had been pulled down.
Aarogya Setu is a mobile phone-based contact-tracing application meant to identify people with Covid-19, but has been criticised by privacy experts for collecting excessive amounts of data, while cyber security analysts have also flagged endemic issues in India’s cyber hygiene that could expose such data to malicious actors, including state-backed hackers.
In the now-retracted blog post , Shadow Map gave what appeared to be details with screenshots of how it found “the source code for the Aarogya Setu platform including its back-end infrastructure being exposed on the public internet”, citing in particular the discovery of log-in credentials used by the developers on Github.
Github is a code-sharing platform that is often used by programmers to work on software they are building.
The discovery was part of internal research to scan government websites for publicly accessible data, the researchers said, adding: “On the 23rd of June, while analysing the data from this GOV.IN scan, we noticed that one of the Aarogya Setu servers had been recently updated and one of its developers had accidentally published their Git folder into the public webroot, along with the plain-text user name and password details for the official Aarogya Setu Github account.” This, the researchers went on to say, allowed them to access the code stored on Github, which in turn gave previously undisclosed details about how the platform is designed, including the role of private operators, and access to “authentication keys” that could potentially enable access to user data.