Info-tech

Reliance Jio’s Covid-19 tracker tool user data exposed online due to a security lapse: Report

Hemani Sheth Mumbai | Updated on May 03, 2020 Published on May 03, 2020

Reliance Jio logo   -  Nagara Gopal

A security lapse in Reliance Jio’s Covid-19 self checker tool has led to one of the tool’s core database being exposed to the internet without a password, TechCrunch reported on Sunday.

The security issue was first detected by cybersecurity researcher Anurag Sen who found the database on May 1, right after it was first exposed, the report said. After TechCrunch notified the company, Jio immediately pulled the system offline. There is no specification as to how many people have accessed the database before the system was taken offline.

“The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms,” said Jio spokesperson Tushar Pania as quoted by TechCrunch.

What the tool does

Reliance Jio had rolled out the online tool back in March. The self-checker is meant to help people self-assess their symptoms in order to map their risk of contracting Covid-19.

The self-test is a list of questions at the end of which the AI-driven tool figures out the test taker’s risk level, from high to low.

The questionnaire begins with basic questions, including who the test is for and the age and gender of the person. It then asks the respondent about their health conditions, their travel history apart from if the user or their family have come in contact with a Covid-positive person.

Issue

The database that was accessed by Sen contained millions of logs and records starting April 17 till the time that it was pulled offline.

As mentioned by Pania the server was meant to monitor the website performance and contained a running log of website errors and other system messages. However, it also contained a database of a huge number of user data who had taken the self-test. The data also led back to who the test was taken for, information about the user’s browser version and their operating system.

It also had the individual records of users who had signed up on the website to create a profile which allowed them to update their symptoms over time. The database contained the user’s answers to each question.

According to the report, certain records also contained a user’s precise geolocation if the user allowed the symptom checker access to their browser or phone’s location data. TechCrunch was able to identify user’s homes using the location data found.

Majority of the location data is clustered around cities such as Mumbai and Pune. However, data of users in locations such as the United Kingdom and North America were also found.

The company has not yet specified if it will inform users of the symptom tracker about the security lapse.

Published on May 03, 2020
This article is closed for comments.
Please Email the Editor