Since the onset of the outbreak, governments and businesses have been trying to develop apps and websites that users can use to identify symptoms of COVID-19.
India's largest mobile network, Jio, a subsidiary of Reliance, launched its coronavirus self-test symptom examiner in late March, shortly before the Indian government imposed a strict nationwide ban to prevent the further spread of the coronavirus. With symptom checking, anyone can check their symptoms from their phone or the Jio website to see if they may have been infected with COVID-19.
According to theinformationsuperhighway, a vulnerability has made one of the symptom examiner's core databases accessible without a password.
Security researcher Anurag Sen found the database on May 1, shortly after it was first released, and informed theinformationsuperhighway to notify the company. Jio quickly took the system offline after theinformationsuperhighway contacted them. It is not known whether someone else accessed the database.
"We took action immediately," said Jio spokesman Tushar Pania. "The logging server was used to monitor the performance of our website and was only intended for people who are self-testing to determine if they have COVID-19 symptoms."
The database contains millions of logs and records from April 17th until the database was taken offline. Although the server contained a running log with website errors and other system messages, a large number of self-test data generated by the user were also recorded. Each self-test was logged in the database and contained a record of who did the test – such as: B. "Self" or a relative, his age and gender.
The data also included the person's user agent, a small portion of information about the user's browser version and operating system, which is often used to properly load the website, but can also be used to track a user's online activity.
The database also contains individual records of those who have logged in to create a profile so that users can update their symptoms over time. These records included the answers to each question asked by the symptom examiner, including the symptoms they were in contact with, with which they had contact, and what health conditions they may be suffering from.
Some of the records also included the exact location of the user, but only if the user gave the symptom reviewer access to the location data of their browser or phone.
We have published an edited part of one of the following data sets.
From a sample of data we received, we determined the exact geolocation of thousands of users from across India. theinformationsuperhighway was able to identify people's homes based on the longitude and latitude found in the database.
Most location data are summarized in large cities such as Mumbai and Pune. theinformationsuperhighway also found users in the UK and North America.
The exposure could not come at a more critical time for the Indian telecommunications giant. Last week, Facebook invested $ 5.7 billion in nearly 10% of Jios platforms and valued the Reliance subsidiary at around $ 66 billion.
Jio has not answered our follow-up questions, and the company has not indicated whether it will inform those who used the symptom tracker about the vulnerability.