Aarogya Setu vulnerable? Drama over data firm’s contention
FIRM SAID IT ACCESSED THE CODE AND BACKEND INFRA, BEFORE GOVT ISSUED A STRONG STATEMENT. BOTH LATER BACKTRACKED
nNEW DELHI: A cyber security firm said on Wednesday that it stumbled upon large parts of the government’s contact tracing app Aarogya Setu’s code and back-end components that could jeopardise the privacy of 150 million users after a government website appeared to have inadvertently uploaded log-in credentials used by the developers, triggering a war of words with the government before both sides retracted their claims.
On Wednesday afternoon, threat intelligence firm Shadow Map said in a blog post published on its website that it found the log-in credentials used by developers of Aarogya Setu sitting, possibly by accident, on a government website, allowing them to gain access to large parts of the code and other software infrastructure that, if accessed by hackers, could expose location, contact, and health data of the users.
The blog post refers to events that happened in late June, and added that the issue was fixed a day after Shadow Map pointed it out to the relevant authorities.
In a widely circulated statement on Wednesday evening, the government called the claims “malicious, nefarious and unsubstantiated” and assured users that no data has been compromised due to the alleged vulnerabilities. It also said it would pursue legal action against the company. Shortly after, Shadow Map took down the blog post, and the government retracted its statement.
“We assure users no data was compromised and we will look into this incident in entirety and take action as per the law,” said Abhishek Singh, CEO of Mygov, the government agency spearheading the project. Singh added that the statement was being retracted since the blog had been pulled down.
Aarogya Setu is a mobile phone-based contact-tracing application meant to identify people with Covid-19, but has been criticised by privacy experts for collecting excessive amounts of data, while cyber security analysts have also flagged endemic issues in India’s cyber hygiene that could expose such data to malicious actors, including state-backed hackers.
In the now-retracted blog