Expert Insight On Indian state government website exposed COVID-19 lab test results

It has been reported that a security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test. The website is part of the West Bengal government’s mass coronavirus testing program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to its website containing their test results.

The researcher found that the link containing the patient’s unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser’s address bar and view other patients’ test results.

Experts Comments

March 09, 2021
Jonathan Knudsen
Senior Security Strategist
Synopsys

A website for COVID test results in West Bengal in India is apparently missing access control, such that anyone can view results for anyone else. Like most software, this application was probably built as quickly as possible with functionality being its only goal. We will stop seeing these kinds of headlines only when development teams include security at every phase of development. In this case, about ten minutes of threat modeling during the application’s design would have made

.....Read More

A website for COVID test results in West Bengal in India is apparently missing access control, such that anyone can view results for anyone else. Like most software, this application was probably built as quickly as possible with functionality being its only goal. We will stop seeing these kinds of headlines only when development teams include security at every phase of development. In this case, about ten minutes of threat modeling during the application’s design would have made obvious the danger of the scheme for referencing results. Designing a better access system would have added perhaps an hour or two to the development cycle. Like brushing your teeth or eating your vegetables, security needs to be a consistent habit with application development teams. For development teams, security is a habit that produces long-term positive results. Citizens whose information has been exposed are advised to be wary of unsolicited emails or telephone calls that have might include information such as address, age, and other personal details.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.