Aarogya Setu vulnerable? Drama over data firm’s contention
NEWDELHI: A cyber security firm said on Wednesday that it stumbled upon large parts of the government’s contact tracing app Aarogya Setu’s code and back-end components that could jeopardise the privacy of 150 million users after a government website appeared to have inadvertently uploaded log-in credentials used by the developers, triggering a war of words with the government before both sides retracted their claims.
On Wednesday afternoon, threat intelligence firm Shadow Map said in a blog post published on its website that it found the log-in credentials used by developers of Aarogya Setu sitting, possibly by accident, on a government website, allowing them to gain access to large parts of the code and other software infrastructure that, if accessed by hackers, could expose location, contact, and health data of the users. The blog post refers to events that happened in late June, and added that the issue was fixed a day after Shadow Map pointed it out to the relevant authorities.
In a widely circulated statement on Wednesday evening, the government called the claims “malicious, nefarious and unsubstantiated” and assured users that no data has been compromised due to the alleged vulnerabilities. It also said it would pursue legal action against the company. Shortly after, Shadow Map took down the blog post, and the government retracted its statement.
“We assure users no data was compromised and we will look into this incident in entirety and take action as per the law,” said Abhishek Singh, CEO of MyGov, the government agency spearheading the project. Singh added that the statement was being retracted since the blog had been pulled down.
Aarogya Setu is a mobile phone-based contact-tracing application meant to identify people with Covid-19, but has been criticised by privacy experts for collecting excessive amounts of data, while cyber security analysts have also flagged endemic issues in India’s cyber hygiene that could expose such data to malicious actors, including state-backed hackers.
In the now-retracted blog post , Shadow Map gave what appeared to be details with
FIRM SAID IT ACCESSED
THE CODE AND BACKEND INFRA, BEFORE GOVT ISSUED A STRONG STATEMENT. BOTH LATER BACKTRACKED
screenshots of how it found “the source code for the Aarogya Setu platform including its back-end infrastructure being exposed on the public internet”, citing in particular the discovery of log-in credentials used by the developers on GitHub.
GitHub is a code-sharing platform that is often used by programmers to work on software they are building.
The discovery was part of internal research to scan government websites for publicly accessible data, the researchers said, adding: “On the 23rd of June, while analysing the data from this GOV.in scan, we noticed that one of the Aarogya Setu servers had been recently updated and one of its developers had accidentally published their Git folder into the public webroot, along with the plain-text user name and password details for the official Aarogya Setu GitHub account.”
This, the researchers went on to say, allowed them to access the code stored on GitHub, which in turn gave previously undisclosed details about how the platform is designed, including the role of private operators, and access to “authentication keys” that could potentially enable access to user data.
“A malicious user that gets access to GitHub or their cloud platforms could easily introduce malware into the app that would then be served to all 150 million users,” Yash Kadakia, founder of Shadow Map, told HT over phone in the afternoon.
To these claims, Singh said the disclosures “were very unethical and unprofessional act of a firm that was involved in security audit of the app”.
In the statement issued by the ministry of electronics and IT, before it was retracted, the government accused Security Brigade – the parent company of Shadow Map -- of violating its terms of engagement on the Aarogya Setu project.
“Security Brigade, a CERT-In empanelled agency, was one of the reviewers of Aarogya Setu code and confidential information relating to the code was shared with the firm. In all such reviews and audits, the expectation is that they will conduct the review professionally and will maintain confidentiality,” it said.