A security flaw A website operated by the Indian government in West Bengal published the laboratory results of at least hundreds of thousands of residents, but probably also of millions who took a COVID-19 test.
The website is part of the West Bengal government’s mass coronavirus testing program. Once there is a COVID-19 test result, the government will send a text message to the patient with a link to their website that contains the test results.
However, security researcher Sourajeet Majumder found that the link with the patient’s unique test identification number was encrypted using Base64 encoding, which can be easily converted using online tools. Because the identification numbers were sequenced incrementally, the website bug meant anyone could change that number in their browser’s address bar and view other patients’ test results.
The test results include the patient’s name, gender, age, mailing address, and whether the patient’s laboratory test result was positive, negative, or inconclusive for COVID-19.
Majumder told TechCrunch that he feared a malicious attacker could scratch the website and sell the data. “This is a data breach if someone else gets access to my private information,” he said.
Two edited COVID-19 laboratory test results were posted on the West Bengal government website due to a security vulnerability. (Screenshot: TechCrunch)
Majumder reported the vulnerability to India’s CERT, the country’s dedicated cybersecurity response department, which confirmed the problem in an email. He also contacted the West Bengal government website manager who did not respond. TechCrunch independently confirmed the vulnerability and also reached out to the West Bengal government, which took the website offline but did not return our requests for comments.
TechCrunch held our report until the vulnerability was resolved or the risk no longer existed. At the time of publication, the affected website will remain offline.
It is not known exactly how many COVID-19 laboratory results were disclosed as a result of this vulnerability or whether anyone other than Majumder discovered the vulnerability. When the website went offline in late February, the state government had tested more than 8.5 million residents for COVID-19.
With around 90 million inhabitants, West Bengal is one of the most populous states in India. Since the pandemic began, the state government has recorded more than 10,000 coronavirus deaths.
It is the latest of several security incidents over the past few months to hit India and its response to the coronavirus pandemic.
Last May, India’s largest cellular network, Jio, admitted a security flaw after a security researcher found a database containing the company’s coronavirus symptom checker that Jio launched months earlier.
In October, a security researcher found that Dr. Lal PathLabs had left hundreds of tables with millions of patient booking records – including those for COVID-19 testing – on a public storage server that was not password protected so anyone could access sensitive patient information.
Send tips securely via Signal and WhatsApp to +1 646-755-8849. You can also send files or documents with SecureDrop.