It has been reported that a security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test. The website is part of the West Bengal government’s mass coronavirus testing program. Once a COVID-19 test result is ready, the government sends a text message to the patient with a link to its website containing their test results.
The researcher found that the link containing the patient’s unique test identification number was scrambled with base64 encoding, which can be easily converted using online tools. Because the identification numbers were incrementally sequenced, the website bug meant that anyone could change that number in their browser’s address bar and view other patients’ test results.
<p>A website for COVID test results in West Bengal in India is apparently missing access control, such that anyone can view results for anyone else. Like most software, this application was probably built as quickly as possible with functionality being its only goal. We will stop seeing these kinds of headlines only when development teams include security at every phase of development. In this case, about ten minutes of threat modeling during the application’s design would have made obvious the danger of the scheme for referencing results. Designing a better access system would have added perhaps an hour or two to the development cycle. Like brushing your teeth or eating your vegetables, security needs to be a consistent habit with application development teams. For development teams, security is a habit that produces long-term positive results. Citizens whose information has been exposed are advised to be wary of unsolicited emails or telephone calls that have might include information such as address, age, and other personal details.</p>