🧵 How a misconfig let anyone view PII of Covid-19 patients and modify data related to Covid-19 sero survey (Of Haryana)
So, the Govt Of Haryana has 2 state projects under the @_DigitalIndia programme called :
1. Covid Sample Report Portal
2. Covid-19 Sero Survey Portal
(1/13)
So, the Govt Of Haryana has 2 state projects under the @_DigitalIndia programme called :
1. Covid Sample Report Portal
2. Covid-19 Sero Survey Portal
(1/13)
According to official docs, the first portal is used to store COVID-19 testing details uploaded by all COVID-19 laboratories (public or private) for effective monitoring directly by @cmohry
Source : negd.gov.in/sites/default/…
(2/13)
#infosec #bugbounty #hacking
Source : negd.gov.in/sites/default/…
(2/13)
#infosec #bugbounty #hacking
And the second portal is used to estimate and monitor the trends of sero-prevalence of SARS-CoV infection in the general population and high burden cities of Haryana.
Source : negd.gov.in/sites/default/…
(3/13)
#infosec #bugbounty #hacking
Source : negd.gov.in/sites/default/…
(3/13)
#infosec #bugbounty #hacking
While testing, I found both of these projects were vulnerable to a VERY BASIC and easy-to-exploit vulnerability known as Forced Browsing/Direct URL access attack.
Confusing ? Let me explain this for you. I'm sure you'll understand, why I wrote that in caps 🥴
(4/13)
#hacking
Confusing ? Let me explain this for you. I'm sure you'll understand, why I wrote that in caps 🥴
(4/13)
#hacking
A Forced browsing attack is a vulnerability in which an unauthorized user gets access to the contents of an authorized user or other sensitive resources in a web server by forcing the URL directly.
Still not clear? Cool, I'll give you an example.
(5/13)
#bugbountytips #infosec
Still not clear? Cool, I'll give you an example.
(5/13)
#bugbountytips #infosec
Eg:When I visited covidsample(.)haryana(.)gov(.)in,it opened up an admin panel but when I made a direct request to covidsample(.)haryana(.)gov(.)in/listpositive,it gave me a list of positive patients along with their PII without any kind of log in.
Yes,it was that simple. (6/13)
Yes,it was that simple. (6/13)
So, what did this allow me to do ? What was the impact ? This is exactly what you were waiting for, right ?
Advice : Please get yourself a seat, before you proceed to read the next part.
(7/13)
#hacking #cybersecurity #bugbounty #pentest
Advice : Please get yourself a seat, before you proceed to read the next part.
(7/13)
#hacking #cybersecurity #bugbounty #pentest
This security issue allowed me or in fact anyone to :
1. View a list of positive patients from Haryana along with their mobile number,age,gender,residence address,test result and other details.
There were a total of 2,68,126 patients and it was being updated in real time. (8/13)
1. View a list of positive patients from Haryana along with their mobile number,age,gender,residence address,test result and other details.
There were a total of 2,68,126 patients and it was being updated in real time. (8/13)
2. Edit user records
3. Update records (Change status to positive, negative etc).
4. Delete records.
5. Change sample ID.
6. View and add lab incharge.
Points 2-6 were happening on the Sero Survey Portal. Ik, it's scary.
(9/13)
#bugbountytips #hacking #infosec #Pentesting
3. Update records (Change status to positive, negative etc).
4. Delete records.
5. Change sample ID.
6. View and add lab incharge.
Points 2-6 were happening on the Sero Survey Portal. Ik, it's scary.
(9/13)
#bugbountytips #hacking #infosec #Pentesting
Responsible Disclosure Timeline :
Dec 14, 2021 : Mailed the concerned authority.
*The site was pulled offline within 2hrs of reporting*
Dec 14 : Received basic acknowledgement. "Thankyou for reporting.Will examine."
Dec 15 : Asked for an update. No response.
(10/13)
Dec 14, 2021 : Mailed the concerned authority.
*The site was pulled offline within 2hrs of reporting*
Dec 14 : Received basic acknowledgement. "Thankyou for reporting.Will examine."
Dec 15 : Asked for an update. No response.
(10/13)
Dec 31 : Noticed that the site was live once again with the vulnerability fixed.
Jan 6, 2022 : Asked again, if the vulnerability was exploited in the wild or if any data was breached. Didn't receive any response yet.
(11/13)
Jan 6, 2022 : Asked again, if the vulnerability was exploited in the wild or if any data was breached. Didn't receive any response yet.
(11/13)
Additionally, I also found that the direct URLs were being indexed by search engines.
So, there are high chances that even normal users might have clicked on them and gained access to sensitive data or administrative controls. This is where it became more scary. (12/13)
So, there are high chances that even normal users might have clicked on them and gained access to sensitive data or administrative controls. This is where it became more scary. (12/13)
Also, this is not the first time a govt site has mismanaged data of Covid patients/test takers or left them exposed. Here is my other find from 2021:
It's high time that the Govt starts testing the sites for such bugs, before they are brought live (13/13)
https://twitter.com/BleepinComputer/status/1364757061142200327
It's high time that the Govt starts testing the sites for such bugs, before they are brought live (13/13)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
