Comments
A security lapse in Reliance Jio’s Covid-19 self checker tool has led to one of the tool’s core database being exposed to the internet without a password, TechCrunch reported on Sunday.
The security issue was first detected by cybersecurity researcher Anurag Sen who found the database on May 1, right after it was first exposed, the report said. After TechCrunch notified the company, Jio immediately pulled the system offline. There is no specification as to how many people have accessed the database before the system was taken offline.
“The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms,” said Jio spokesperson Tushar Pania as quoted by TechCrunch.
What the tool does
Reliance Jio had rolled out the online tool back in March. The self-checker is meant to help people self-assess their symptoms in order to map their risk of contracting Covid-19.
The self-test is a list of questions at the end of which the AI-driven tool figures out the test taker’s risk level, from high to low.
The questionnaire begins with basic questions, including who the test is for and the age and gender of the person. It then asks the respondent about their health conditions, their travel history apart from if the user or their family have come in contact with a Covid-positive person.
Issue
The database that was accessed by Sen contained millions of logs and records starting April 17 till the time that it was pulled offline.
As mentioned by Pania the server was meant to monitor the website performance and contained a running log of website errors and other system messages. However, it also contained a database of a huge number of user data who had taken the self-test. The data also led back to who the test was taken for, information about the user’s browser version and their operating system.
It also had the individual records of users who had signed up on the website to create a profile which allowed them to update their symptoms over time. The database contained the user’s answers to each question.
According to the report, certain records also contained a user’s precise geolocation if the user allowed the symptom checker access to their browser or phone’s location data. TechCrunch was able to identify user’s homes using the location data found.
Majority of the location data is clustered around cities such as Mumbai and Pune. However, data of users in locations such as the United Kingdom and North America were also found.
The company has not yet specified if it will inform users of the symptom tracker about the security lapse.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.