ICMR Covid Reports Leaked-Aadhaar No, PII, PHI of ~13.20Cr Users Exposed.

Hi Folks!

Recently, I uncovered a critical vulnerability where users could access the Personally Identifiable Information (PII) and Protected Health Information (PHI) of other users (~13.20 crore) without logging into the Covid-19 Sample Collection Management.

Sample Information Obtained: Name, Address, Phone No, Aadhaar No, Passport No, Medical Information (Patient’s ID, Test Result, Vaccination Status, etc), Doctor’s Name/Phone No/Email Address.

As a Cyber Security Professional, it is my responsibility to ensure sensitive data should not be exposed to bad actors (Imagine scammers getting hold of these data. They could have easily scammed people, or someone could have sold these pieces of information to the Dark Web).

Immediately, I informed CERT-In in detail about the vulnerability and they took immediate action to escalate the issue with the relevant authorities. The issue was partially fixed on 23rd April 2021 and fixed completely on 30th June 2021.

This all started when BBMP came to our Apartment on 20th April 2021 to collect samples for the RT-PCR test. Users used to receive messages on his/her mobile once the sample is collected which contains Name, SRF ID (Specimen Referral Form), and the link to download the report (ICMR Specimen Referral Form for Covid -19) e.g. https://covid19cc.nic.in/PDFService/Specimenfefform.aspx?formid=<RandomizeValue>

My wife received a message on her mobile. However, I did not receive the message and hence, I waited for 1–2 hours hoping it would be delivered to my mobile.

So, I thought of checking the link which my wife received, and I observed SRF form was downloaded as soon as I clicked the link. I was surprised to see SRF form (containing sensitive details) was downloaded in <SRF ID>.pdf format without asking for any verification (e.g., OTP) although the form Id was randomized.

I tried a couple of decoding techniques to uncover the logic behind the form id generation but got no luck. Thereafter, I proceeded to the next step to recon (used google hacks technique) if links are cached in Google search as it is going in GET request or I could get any other juicy information.

I was disheartened to notice that Covid-19 Sample Collection Management System has the secret key hardcoded in the application source code and logic to generate the randomize form id placed at (C# Online Compiler i.e. https://dotnetfiddle.net/) which is accessible over the internet without any authentication. These details were available on the internet since 12th Oct 2020.

By leveraging the encryption logic, it was possible to generate links associated with the reports i.e., SRF form of users (~13.20 Cr) available on the Portal as of 23rd April 2021. The reports were downloaded on browsing the links without asking for any verification ☹.

Data as of 23rd April 2021

Generated links to download SRF form using the encryption logic

Personal Details - Name, Address, Phone No, Aadhaar No, Passport No

Medical Information (Patient’s ID, Test Result, Vaccination Status, etc)

Reported the vulnerability in detail to CERT-In on 22nd April 2021 and received acknowledgment for the same.

Post reporting the vulnerability, the Individual SRF Auto-Download facility was disabled and the user had to enter OTP to view the SRF form.

The vulnerability was fixed completely and I received confirmation on 30th June from CERT-In.

Thank You!