These are the privacy issues in Aarogya Setu, India's Covid-19 tracker app, alleged by French hacker Elliot Alderson
Rounak Jain/Business Insider India
Elliot Aldersonhas claimed that the Aarogya Setuapp allows users to find out who is sick in a particular area.
- He has also contradicted the Aarogya Setu team’s claim that bulk calls to the API are not possible.
AdvertisementA French ethical hacker who goes with the alias "Elliot Alderson" earlier claimed that he found security and privacy issues in India’s Covid-19 tracker app Arogya Setu. This was denied by the Aarogya Setu team and they said that the app is secure.
After this, Alderson has come up with a post highlighting the issues found by him in the Aarogya Setu app.
App allows users to access internal files
In April, Alderson found that the WebViewActivity allowed users to access internal files of the app by using commands as there was no host validation. However, the issue has now been fixed.
Aarogya Setu allows you to find out who is sick
The next issue found by Alderson is that it is possible to modify the user’s location to find out who is sick in a particular area. While the app allows users to change the radius of the area between 500m, 1km, 2km, 5km or 10km, Alderson was able to change it to 100km.
He added that this flaw could allow anyone to find out who is sick in a particular area.
“Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighbour is sick for example. Sounds like a privacy issue for me…” said Alderson.
However, local governments have been publishing information about Covid-19 patients to alert the people who may have come in contact with them, so this may not be a very big issue.
Alderson claims bulk calls to the API are possible
The Aarogya Setu team in its earlier response to Alderson’s claims had said that bulk calls to the API are not possible as it is behind a Web Application firewall. However, Alderson has now claimed that bulk calls are possible, and he spent an entire day sending bulk calls.
Aarogya Setu denies privacy breach, contradicts ethical hacker’s claims
Stranded Indians landing in country will have to register for COVID-19 'Aarogya Setu' app: MHA
COVID-19: Smartphone without 'Aarogya Setu' app will draw punishment for user in Gautam Buddh Nagar
Popular on BI
- Durjoy Datta tweets about Paytm UPI LITE making payments faster and easier, fellow author Ravinder Singh responds
- A former Twitter engineer said they watched colleagues 'drop like flies' from a virtual meeting during Elon Musk's mass layoffs
- A 'hole' 30 times Earth's size has spread across the sun, blasting solar winds that'll hit our planet by end of this week
- Govt intervention critical to remove green financing barriers, IPCC report stresses as we move towards 3.5°C warming
- BYJU's set to raise $250 million, at a lower valuation
- Piramal Realty inks deal with Jio-bp to install EV charging stations at its properties
- Sensex halts 2-day gaining streak, falls 290 pts to close below 58K
- Global IT services firm Accenture slashes 19,000 jobs, tech mayhem deepens