1/ Yesterday night, I analysed "COVID-19 Gov PK", the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, ... nothing is ok with this app.

Want to see this horror? Follow me ⬇️ Image
2/ This app, made by the Ministry of IT and Telecom with National Information Technology Board, is available on the PlayStore and has been downloaded more than 500,000 times.

play.google.com/store/apps/det…
3/ It's NOT a contact tracing app. It gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene (wut?). Image
4/ When you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser / CovidApi!@#890# ImageImage
5/ Because hardcoded credentials seems to be a thing in Pakistan, when the app requests the position of infected people on the map, they used another hardcoded creds: ApiUser / ApiUser@1234# ImageImage
6/ The 1st request made by the app is, ofc, an insecure request Image
7/ In the "Radius Alert" tab you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app 🤦‍♂️

Sick people deserve privacy ImageImage
8/8 To sum-up, in "COVID-19 Gov PK" we found:
- hardcoded passwords
- insecure requests
- privacy issue

Thanks for the good laugh, you are the worst #Covid19 app I analysed

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Jul 19, 2021
Few words about #Pegasus the spyware made by #NSOGroup

Quelques mots à propos de #Pegasus le malware créé par le #NSOGroup

1/n
#Pegasus is not new. The first analyses and articles has been written in 2016

#Pegasus n'est pas nouveau. Les premières analyses et articles datent de 2016

2/n
#Pegasus is not mass surveillance. This is targeted surveillance on high profiles: lawyers, activists, journalists, ...

#Pegasus n'est pas de la surveillance de masse. C'est de la surveillance ciblée sur des profils importants: avocats, activistes, journalistes, ...

3/n
Read 13 tweets
Apr 21, 2021
#OSINT quizz: Reverse image search is not always the ultimate solution for #GEOINT

Let's try to solve this one the old way
What can we see?
- We can recognise the road signs, we are in the US.
- The building looks like NYC but it just a wild guess
- The store is in a corner
- We can read the store sign: "Hardware *umber store"
- The store sign is also in Chinese. Maybe chinatown?
Just type "Hardware *umber store" in Google. Ok, the missing letter is an l.
Read 10 tweets
Apr 7, 2021
1) After a quick image reverse search on Google Image, we can find the original publication. Yesterday, Louis de Luxembourg announced his engagement with Scarlett-Lauren Sirgue. instagram.com/p/CNUQgmaC7rm/
2) Time to check their last moves. We are in a pandemic and they are public figures, so everything should be documented. After scrolling about the last news on the Royal Family of Luxembourg, I can see they spent the last holidays in Biarritz, France parismatch.com/Royal-Blog/fam…
3) Time to open Google Maps. I can see water behind them and the building in the background is pretty far from them which suggest the beach is probably long.

Quickly, we have a possible match.
Read 10 tweets
Apr 6, 2021
Très forte attaque = Oh mon dieu on a plus que 3 utilisateurs

Venue de l’étranger = Chef on a trouvé une IP venant de Belgique dans les logs

#TraduisonsLes
Vous avez juste une infrastructure qui ne tient pas la charge. Encore une fois. Tous les parents de France font travailler leurs enfants en ce retour de week-end prolongé, ce qui a probablement provoqué la surcharge des serveurs...
On va commencer par un cours de sport. Commence à courir je te rattrape
Read 5 tweets
Mar 29, 2021
WUT? Image
I don’t know bro... stop watching porn might be a solution
Ask a French guy to block porn is not your best shot, just saying
Read 4 tweets
Feb 10, 2021
You asked so I did it. I spent 30 min on this new Koo app. The app is leaking of the personal data of his users: email, dob, name, marital status, gender, ...
*leaking the (sorry for the typo)
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(