French cybersecurity expert and hacker who uses the alias “Elliot Alderson” on Twitter has claimed to have found a “security issue” with the Aarogya Setu app which is a coronavirus tracking application developed by the National Informatics Centre, a part of the Ministry of Electronics and Information Technology of the Indian government.
The hacker alleges that this issue puts the data of 90 million users at risk.
Elliot Alderson is the same person who had found flaws in the Aadhar app who exposed that Aadhar data was being accessed by third-party websites.
Elliot tweeted out tagging Aarogya Setu’s official Twitter handle saying “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?”
Hi @SetuAarogya,
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
Regards,
PS: @RahulGandhi was right
9,438 people are talking about this
In the end, he also tagged Congress leader Rahul Gandhi who just last week had raised data security concerns related to the app. He called the app a sophisticated surveillance system.
He said that it was “outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns.”
The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.
45.1K people are talking about this
Following Rahul’s tweet, Elliot decided to deep dive into the Indian contact tracing app using an Indian mobile number for which he had requested on Twitter.
I need to do one final test. If you have a valid Indian phone number and never created an account on Aarogya Setu, can you send me a DM now? twitter.com/fs0c131y/statu…
88 people are talking about this
In another tweet, Elliot mentioned that 49 minutes after he had declared the security concern, he was contacted by the Computer Emergency Response Team (CERT) and the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology.
The hacker also said that he would disclose the flaws publicly if the issue is not fixed within a “reasonable deadline”.
Hi @SetuAarogya,
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
Regards,
PS: @RahulGandhi was right
49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them.
959 people are talking about this
49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them.
To be super clear:
- I'm waiting a fix from their side before disclosing publicly the issue. Putting the medical data of 90 million Indians is not an option.
- I have a very limited patience, so after a reasonable deadline, I will disclose it, fixed or not.
1,123 people are talking about this
Ever since its release, the Aarogya Setu app has come under severe criticism for privacy and surveillance concerns as well as the lack of audit and transparency. The app is not open source and its source code is not open to scrutiny.
No comments:
Post a Comment