[ad_1]
Since the start of the outbreak, governments and companies have been quick to develop applications and websites that can help users identify the symptoms of COVID-19.
India’s largest cellular network, Jio, a Reliance subsidiary, launched its coronavirus self-assessment symptom checker in late March, just before the Indian government imposed a strict national blockade to prevent the spread of the coronavirus. Symptom Checker allows anyone to check their symptoms from their phone or from the Jio website to see if they may have been infected with COVID-19.
TechCrunch discovered that a security lapse exposed one of the core symptom checker databases to the Internet without a password.
The Jio coronavirus symptom checker. One of its databases exposed user responses. (Image: TechCrunch)
Security researcher Anurag Sen found the database on May 1, right after it was first exposed, and informed TechCrunch to notify the company. Jio quickly disconnected the system after TechCrunch made contact. It is not known if anyone else accessed the database.
“We have taken immediate action,” said Jio Tushar Pania’s spokesman. “The registration server was for monitoring the performance of our website, intended for the limited purpose of people doing a self-test to see if they have any COVID-19 symptoms.”
The database contains millions of records and logs from April 17 until the time the database went offline. Although the server contained a continuous log of website errors and other system messages, it also ingested a large number of user-generated self-test data. Each self-assessment was recorded in the database and included a record of who performed the test, such as “oneself” or a relative, their age and gender.
The data also included the person’s user agent, a small snippet of information about the user’s browser version and operating system, which is often used to load the website correctly, but can also be used to track activity. online from a user.
The database also contains individual records of those who signed up to create a profile, allowing users to update their symptoms over time. These records contained the answers to each question asked by the symptom checker, including what symptoms they are experiencing, who they have been in contact with and what health conditions they may have.
Some of the records also contained the precise location of the user, but only if the user allowed the symptom checker to access the location data from their browser or phone.
We have posted a redacted portion of one of the records below.
A redacted portion of the exposed database. (Image: TechCrunch)
From a sample of data we collected, we found the precise geolocation of thousands of users from across India. TechCrunch was able to identify people’s homes using the latitude and longitude records found in the database.
Most of the location data is grouped around major cities such as Mumbai and Pune. TechCrunch also found users in the UK and North America.
The exhibition could not come at a more critical time for the Indian telecommunications giant. Last week, Facebook invested $ 5.7 billion for a close to 10% stake in the Jio Platforms, valuing the Reliance subsidiary at approximately $ 66 billion.
Jio did not respond to our follow-up questions, and the company did not say whether it will inform those who used the safety lapse symptom tracker.
Source: TechCrunch
Related
[ad_2]
