My Authors
Read all threads
1/ Few days back a hacker claimed that he has found some serious security flaws in @SetuAarogya and 90 million user's privacy is at risk and also wrote an article on medium for explanation of the issues he found. Follow the thread to know the REALITY of so called security issues.
Read the bold part (that speaks the important part in brief) in tweets ahead in this thread.
That is an intentional feature of the application and it provides you number of nearby users, covid-19 positive users etc and NOT their identities. Also the radius for which you can ask this data has only few values : 500m, 1Km, 2Km, 5Km, 10Km only.
Claim by the hacker: The hacker claimed that he could fetch data for a custom radius (any radius value he likes say even 100m) which could be privacy issue as he could reduce the radius to say 50m and check if his neighbour is unwell or covid-19 positive etc.
Archive of his original article where response option is ON, where he has called that location as New Delhi (latitude, longitude in his request sent to server you can see clearly as 19.0760, 72.8777) and the authorisation token is not hidden in his image : archive.is/CxQFb
My first response to his article : facebook.com/47172999620097… Also he blocked me just like others @hexachordanu @sunnyrockzzs @hexachordanu @Th3_N1gh7m4r3 @Sri_Hxor @virtualgh0st many more for pointing out such things.
Yes! The hacker needs unrestricted access to your phone for the issues we going to talk about now. It’s not about fetching some data from server but trying to fetch from app directory or other mischiefs there). They are client-side validation bypass in an exploitation medium.
Yeah the MITM here needs all that. And this is something you can do with most of the apps you gonna find.
The app doesn’t have permissions to read your external storage and same applies to the files that can be accessed by webview. So a hacker would do such much efforts with your mobile phone (with unrestricted access) to print the internal files of that app before you?
I remember the case of @UIDAI application #mAadhaar where similar issues of client-side validation bypass were pointed by him and the mainstream media highlighted that issue so much without even understanding what the actual matter is. #Aadhaar #Security
My suggestion for @UIDAI @SetuAarogya @GoI_MeitY @rsprasad @UmangOfficial_ @NPCI_BHIM @digilocker_ind @IRCTCofficial 🙏 to make few guidelines for bug hunters (those who find loopholes in websites or mobile applications and report them to responsible person or team).
And this was the TOP response on that article made by hacker (all top responses were like this) after which he turned off response option. Here is the archives of this response: archive.is/7X1On (in case needed) and the original link : medium.com/@wrenharoldfin…
And a brief history of that hackers’s work when it comes to exposing our govt app or websites issues as he keeps claiming. When he accepted his aadhaar hacking challenge all he did was fetching information from public domain.
And when he pointed out a security breach in @BJP4India official website by pointing the encryption used there (that was CLIENT side encryption) so obviously it should be visible to clients. It’s explained well here : facebook.com/47172999620097…
Something he needs to understand. Thanks to the person for pointing it out. Hopefully next time he will blur or hide the tokens before posting videos or pics.
If you want to go in more technical details you can go through this : medium.com/@N1gh7m4r3/exp… and yeah getting blocked from him for asking technical things have become a standard in the mainstream hacking community. And this pic sums up that !
Also their reply is exactly what a team would reply when they receive such bug reports. The reply clearly mentions that the radius parameter is distance while in the article the hacker has taken distance as 5km (which is not a custom value). Seems he could not get what they meant
Some fellow brothers and sisters requested me to summarise the above said in brief. You can read this 👇(in a single image as you requested for). Though to understand the points said here you may have to go through the tweets above☝️in this thread. This is in a way overview 🙂👇.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Sunny Nehra

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!