🧵 How a misconfig let anyone view PII of Covid-19 patients and modify data related to Covid-19 sero survey (Of Haryana)

So, the Govt Of Haryana has 2 state projects under the @_DigitalIndia programme called :
1. Covid Sample Report Portal
2. Covid-19 Sero Survey Portal

According to official docs, the first portal is used to store COVID-19 testing details uploaded by all COVID-19 laboratories (public or private) for effective monitoring directly by @cmohry

Source : negd.gov.in/sites/default/…

#infosec #bugbounty #hacking
And the second portal is used to estimate and monitor the trends of sero-prevalence of SARS-CoV infection in the general population and high burden cities of Haryana.

Source : negd.gov.in/sites/default/…

#infosec #bugbounty #hacking
While testing, I found both of these projects were vulnerable to a VERY BASIC and easy-to-exploit vulnerability known as Forced Browsing/Direct URL access attack.

Confusing ? Let me explain this for you. I'm sure you'll understand, why I wrote that in caps 🥴

A Forced browsing attack is a vulnerability in which an unauthorized user gets access to the contents of an authorized user or other sensitive resources in a web server by forcing the URL directly.

Still not clear? Cool, I'll give you an example.

#bugbountytips #infosec
Eg:When I visited covidsample(.)haryana(.)gov(.)in,it opened up an admin panel but when I made a direct request to covidsample(.)haryana(.)gov(.)in/listpositive,it gave me a list of positive patients along with their PII without any kind of log in.

Yes,it was that simple. (6/13)
So, what did this allow me to do ? What was the impact ? This is exactly what you were waiting for, right ?

Advice : Please get yourself a seat, before you proceed to read the next part.

#hacking #cybersecurity #bugbounty #pentest
This security issue allowed me or in fact anyone to :
1. View a list of positive patients from Haryana along with their mobile number,age,gender,residence address,test result and other details.

There were a total of 2,68,126 patients and it was being updated in real time. (8/13)
2. Edit user records
3. Update records (Change status to positive, negative etc).
4. Delete records.
5. Change sample ID.
6. View and add lab incharge.

Points 2-6 were happening on the Sero Survey Portal. Ik, it's scary.

#bugbountytips #hacking #infosec #Pentesting
Responsible Disclosure Timeline :
Dec 14, 2021 : Mailed the concerned authority.
*The site was pulled offline within 2hrs of reporting*

Dec 14 : Received basic acknowledgement. "Thankyou for reporting.Will examine."

Dec 15 : Asked for an update. No response.

Dec 31 : Noticed that the site was live once again with the vulnerability fixed.

Jan 6, 2022 : Asked again, if the vulnerability was exploited in the wild or if any data was breached. Didn't receive any response yet.

Additionally, I also found that the direct URLs were being indexed by search engines.

So, there are high chances that even normal users might have clicked on them and gained access to sensitive data or administrative controls. This is where it became more scary. (12/13)
Also, this is not the first time a govt site has mismanaged data of Covid patients/test takers or left them exposed. Here is my other find from 2021:

It's high time that the Govt starts testing the sites for such bugs, before they are brought live (13/13)

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Sourajeet Majumder

Sourajeet Majumder Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TechCrucio

18 Apr 21
Bad day for #job seekers 🤦
@wisdom_jobs which is one of the three major job portals in #India has allegedly been breached and login credentials of around 238K+ of its users have been made public for free by hackers on #telegram and #hacking forums :(
@sanjg2k1 @IndianCERT
The login credentials which the hackers have made public includes email address & Base64 encoded passwords which literally just takes 2 secs to decode and I have personally verified that almost all of them are working credentials 🥴
Cyber criminals can easily login using these credentials and can get access to a user's name, DOB, number, residence address, education background, marital status and many other info and also make any changes to it, which is scary !
Read 4 tweets
17 Apr 21
NOT AGAIN ! A member of a #hacking forum has allegedly breached @dominos_india and got access to 13TB of internal files (from 2015-21), which he threatens to sell if a #ransom of 50 BTC is not paid 😨
#india #databreach #infosys #gdpr
Acc to him, he has internal files of 250 employees from IT, Legal, Finance, Marketing, Operations etc. Also customers details and 180M order details (name, ph number, email, delivery address, payment details) and 1M credit cards used to purchase on the @dominos app.
The post made by him mentions that, he will be selling the #breached data for 2 BTC or 8 BTC (according to the package one chooses). However if @dominos_india wants to prevent the data from getting sold, they will need to pay him a ransom of 50 BTC💰
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!