Aarogya Setu
post , Shadow Map gave what appeared to be details with screenshots of how it found “the source code for the Aarogya Setu platform including its back-end infrastructure being exposed on the public internet”, citing in particular the discovery of log-in credentials used by the developers on Github.
Github is a code-sharing platform that is often used by programmers to work on software they are building.
The discovery was part of internal research to scan government websites for publicly accessible data, the researchers said, adding: “On the 23rd of June, while analysing the data from this GOV.IN scan, we noticed that one of the Aarogya Setu servers had been recently updated and one of its developers had accidentally published their Git folder into the public webroot, along with the plaintext user name and password details for the official Aarogya Setu Github account.”
This, the researchers went on to say, allowed them to access the code stored on Github, which in turn gave previously undisclosed details about how the platform is designed, including the role of private operators, and access to “authentication keys” that could potentially enable access to user data.
“A malicious user that gets access to Github or their cloud platforms could easily introduce malware into the app that would then be served to all 150 million users,” Yash Kadakia, founder of Shadow Map, told HT over phone in the afternoon.
To these claims, Singh said the disclosures “were very unethical and unprofessional act of a firm that was involved in security audit of the app”.
In the statement issued by the ministry of electronics and IT, before it was retracted, the government accused Security Brigade – the parent company of Shadow Map -- of violating its terms of engagement on the Aarogya Setu project.
“Security Brigade, a CERT-IN empanelled agency, was one of the reviewers of Aarogya Setu code and confidential information relating to the code was shared with the firm. In all such reviews and audits, the expectation is that they will conduct the review professionally and will maintain confidentiality. Now publishing an article on issues that they came to know as part of the code review violates the basic principles of ethics and propriety,” it said.
Security Brigade rejected the allegation and reiterated the information was based on code accessed as a result of the leak of the Github credentials on a government website.
“Aarogya Setu reached out to six organisations and shared their Android source code for review prior to their press conference announcing the bug bounty program. Of course, this Android source code was then made publicly available for all on Github and has absolutely nothing to do with the article we have published. The code we discovered and responsibly reported to NIC was related to other internal components which have not yet been made public. These were accidentally exposed due to their security lapses in the Aarogya Setu infrastructure,” Shadow Map’s parent company Security Brigade said in response to the government’s statement.
In the blog post, Shadow Map cited the data available on Github and the source code showed “several private organisations are heavily involved in the development and management of the Aarogya Setu platform”.
This, they said, raised concerns around how much access individuals or private organisations had to the massive amounts of personal data.
All of these details, the researchers added in the blog post as well as their subsequent statement, were “responsibly shared with senior members of the NIC, CERT and key stakeholders from the Aarogya Setu team”. They added: “However, we did not receive any acknowledgement or response from them. The issue was silently fixed the next day.”
Other cybersecurity and technology policy experts said the findings reported by Shadow Map, if true, were worrying. “The initial error, exposing the Github credentials, is a very big mistake from the Aarogya Setu devs (developers),” said Baptiste Robert, a programmer who has previously reported vulnerabilities in the Aarogya Setu app as well as government websites that leaked sensitive user data.
Robert said a particular technical aspect of the purported finding would be significant if true. This was in reference to Shadow Map finding an “authentication key” that could enable access to the database of Aarogya Setu. “This is pretty huge because with this key, they can read/write the content of the database.”
Shadow Map in its blog post said it did not use the key to access the database and a spokesperson said the company was not aware if any hackers had carried out such a breach.
“To my understanding, Shadow Map indicated that through private keys hardcoded in repositories, it is possible to generate access tokens that can in turn be used to read, write, update and delete data stored in the Firebase (the service hosting the database). This is extremely worrying, as this would open up the possibility of malicious actors being able to tamper with the app’s data, which clearly includes sensitive personal information (such as phone numbers, travel history, information about personal health) of millions of people using the app,” said Gunjan Chawla, programme manager, technology and national security, at National Law University, Delhi’s Centre for Communication Governance.
She added that if true, the incident also reflects poorly on cyber hygiene practices in India. “It is meaningless to encrypt databases if the decryption key is visible to any person viewing the source code. Other than passive profiling of citizens by adversarial countries, a malicious actor could even simply change a high risk case to a low risk, or vice versa to sabotage government attempts at containing the pandemic. Given these risks, it is surprising the app is not being treated as Critical Information Infrastructure,” she said.
ACROSS
DOWN