Aarogya Setu App has red flagged by a pris based rthical hacker who claims that this COVID-19 contact tracing app has a security issue. The hacker
App has a security issue. The hacker nemed Elliot Alderson tweeted about the same on May 5, 2020 stating that the app puts privacy of 90 million Indians at stake. However, hacker did not disclose the flaw or vulnerability.
In a reply to hacker’s tweet, the makers of Aarogya Setu App issued a statement clarifying that no data or security breach has been identified in the app. The statement detail about the user’s data extracted by the app on different occasions, self assessment and others.
Aarogya Setu’s statement below:
Ethical Hacker’s tweet regarding flaws in Aarogya Setu app:
Aarogya Setu App Maker’s reply:Hi @SetuAarogya,— Elliot Alderson (@fs0c131y) May 5, 2020
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
Regards,
PS: @RahulGandhi was right
Aarogya Setu’s Clarification against issues raised by hackerStatement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom— Aarogya Setu (@SetuAarogya) May 5, 2020
Issue 1: App fetches location of users on a few occasions
Aarogya Setu’s Reply: The fetching of user’s location is by desingn and is also mentioned in the app’s privacy policy. The user’s location is stored on the app’s server in a secure and encryptrd manner is fllowing occasions:
-During user registration
-During self assessment
-During voluntarily submission of contact tracing data by users
-When app fetches user’s contact tracing data after they turn COVID-19 positive
Issue 2: Users get COVID-19 statistics displayedonn app’s home screen when they change the radius or latitude-longitude through a script
Aarogya Stu’s reply: The radius parameters of the app are fixed and takes only one value among the five – 500 meters, 1 km, 2 km, 5 k and 10 km. these values are posted with HTTp headers and any other value apart from these fives gets defaulted to 1 km.
On the other hand, users can change the latitude or longitude to get information of multiple locations. However, the API call in behind web Application Firewall, making bulk calls impossible. Accessing data of multiple locations through this is similar to asking people of their location’s COVID-19 stats. This information is already public and does not compromise on sensitive or personal data.
Ethical Hacker warns Aarogya Setu App Makers
The statement mentions that as per the ethical hacker,no personal information of users has been proven to be at risk. The makers assure the users that there is no data or security breach identified in the functioning of app. To this, the ethical hacker replies in a tweet warning the government that if data breaches are not fixed, he would disclose the issues publically. Have a look.
Aarogya setu app was launched in March 2020 soon after the lockdown was announced in India amid Coronavirus outbreak. The app, developed by National informatics Centre (NIC) under MeiTY, helps the government in contact traking and identify the location of people turning COVID-19 positive. Within a month of its launch, the app has about 90 million users.Basically, you said "nothing to see here"— Elliot Alderson (@fs0c131y) May 5, 2020
We will see.
I will come back to you tomorrow. https://t.co/QWm0XVgi3B
0 Comments:
Post a Comment