Skip to main content

French hacker claims Pakistan's COVID-19 contact tracing app reveals patients' locations, govt denies claims

A French ethical hacker has reported privacy flaws in Pakistan's COVID-19 contact tracing app – COVID-19 Gov PK –via a series of tweets. The hacker, Robert Baptiste, who goes by the username Elliot Alderson, pointed out that the app has "hardcoded passwords, insecure connections, privacy issues and...nothing is okay with this app".

To recall, the same hacker also spoke to Firstpost about India's Aarogya Setu app. He had said that the Indian government must convince people of the app’s efficacy rather than force them to use it.

In a series of tweets, he emphasised that COVID-19 Gov PK is "NOT" a contact tracing app. The hacker added that the app, "gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene".

Basically, it will show you the number of confirmed, critical, recovered, and fatal cases across the country in the past 24 hours.

(Also Read: Aarogya Setu, India's contact-tracing app, goes open-source

Representational image. PTI

The COVID-19 Gov PK is developed by the Ministry of IT and Telecom with the National Information Technology Board of Pakistan. It is now available on Play Store and according to the tweet, it has been downloaded more than 5,00,000 times.

He also claims that "When you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser/CovidApi!@#890#".

As per a report by Geo TV, a Pakistani news publication, hardcore credentials – a password embedded into the code for easy access by the developer – are a major security risk as they are favoured by hackers who target them for access to the app itself, or worse, the device. It further added that ideally these codes should be removed before the app's release but are often left in the developing stage.

Further, Alderson also reveals that the app asks for positions of the infected person on the map, and the request made by the app is "insecure". He added that in the "Radius Alert" tab, "you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app". Bye, bye privacy?

At the end, the hacker tweeted, "Thanks for the good laugh, you are the worst #Covid19 app I analysed."

(Also Read: Aarogya Setu: Whether we like it or not, the app is here to stay, but it's still riddled with privacy issues that need strong answers

Government's take

Meanwhile, per the report by Geo TV, National  Information Technology Board (NITB) has refuted the claims by the French researcher, saying they were "incorrect".

As per the report, the press release said, “The purpose of the app is to stop the epidemic spread. A very limited personal information of the user is collected. The app does not show the exact coordinates of the infected people, instead, it shows the radius parameter that is fixed by default at 10 meters for self-declared patients and 300 meters at a quarantine location. Hence, self-declared patients have to give their consent to reveal their coordinates for the safety of other citizens. Moreover, they have accepted our app privacy policy/terms and conditions,”.

It added, “No user login mechanism is present in the app. Therefore, the use of login and passwords are not part of app workflow. The screenshot mentioning the hardcoded password is the defined keyword to give more security to auto-token endpoint, so that endpoint can only be used from mobile apps.”

“All our API's communicate using HTTPS. Hence, security and protection of data of users as per international standards is of prime importance and implemented at the core,” it added.

(Also read: 'Indian govt should convince public on Aarogya Setu's efficacy rather than forcing it on them': Cybersecurity expert Elliot Alderson tells Firstpost



Udimi - Buy Solo Ads from Firstpost Tech Latest News https://ift.tt/3dNWF1G
via IFTTT
Labels:

Comments

Post a Comment

Popular posts from this blog

9 VCs in Madrid and Barcelona discuss the COVID-19 era and look to the future

Spain’s startup ecosystem has two main hubs: Madrid and Barcelona. Most observers place Barcelona first and Madrid second, but the gap appears to close every year. Barcelona has benefitted from attracting expats in search of sun, beach and lifestyle who tend to produce more internationally minded startups. Madrid’s startups have predominantly been Spain or Latin America-focused, but have become increasingly international in nature. Although not part of this survey, we expect Valencia to join next year, as city authorities have been going all-out to attract entrepreneurs and investors. The overall Spanish ecosystem is generally less mature than those in the U.K., France, Sweden and Germany, but it has been improving at a fast clip. More recently, entrepreneurs in Spain have moved away from emulating success in pursuit of innovative technologies. Following the financial crisis, the Spanish government supported the creation of startups with the launch of FOND-ICO GLOBAL, a €1.5 billi...
Post a Comment
Read more

Emulating USB Dongle – Introducing HASP Dongle Emulator Software

Information Technology Blog - - Emulating USB Dongle – Introducing HASP Dongle Emulator Software - Information Technology Blog Over the years the methods used by software developers and producers to limit the amount of users to a specific number in a licensing agreement have become more complex.  The aim of copy protection is to protect the intellectual rights and financial investment of the individual developers and manufacturing companies.   A way of getting around this protection is to reproduce the media through which you can deliver the application to other users,  meaning that the software can be replicated far in excess of that specified in the license. One of the most common methods has been to use hardware keys or dongles which will enable the user to activate an application, unlocking its full functionality without using a device.  In addition, it offers good protection against attempts to pirate the software. In this article, we will look at th...
1 comment
Read more

Advantages and Disadvantages of using Vouchers in eCommerce

Information Technology Blog - - Advantages and Disadvantages of using Vouchers in eCommerce - Information Technology Blog To decide whether vouchers and coupons are the right tool to add to your online marketing strategy, it is essential that you consider the benefit and the cost of using coupons. In this article, we will use Gtech coupon marketing strategy as an example a successful coupon strategy.  Also check out these great books on coupon codes for ecommerce . Advantages of Using Coupons Increase Sales This is the obvious benefit. Coupons serve to increase sales especially for high ticket items such as luxury gadgets. Gtech discount codes is a good example as Gtech quality is reflected on the price of both the Gtech eBike and Gtech AirRam. In order to boost sales, the company releases 10% off offers certain times of the year when online sales would normally be low. Enlarge Email List Acquiring a customer can be expensive in terms of advertising and marketing. If yo...
1 comment
Read more