Teenage White Hat Hacker Discovers PII-Exposing Flaw in Health-Department Website
A teenaged ethical hacker discovered a flawed endpoint associated with a health-department website in the state of Bengal, which exposed personally identifiable information related to COVID-19 test results. The flaw existed on a health department website in the state of Bengal, India, leaving more than 8 million test results potentially exposed before the agency fixed the error.
Sourajeet Majumder, a teenaged ethical hacker in India, noticed a flaw in the structure of a URL in a text informing someone of their test result from Bengal health authorities. It included a pathway for finding other people’s test results, according to a report in BleepingComputer. The error was eventually traced back to a faulty endpoint at the Health and Family Welfare Department of the state of West Bengal, according to the report.
Specifically, the structure of a URL in the text of the message just before providing the test result comprised a base64-encoded report ID number, which a threat actor could decode to construct new sets of URLs that would enable access to other test results.
Majumder did some investigating and realized that the base64 encoding applied to the numeric identifier was optional, so removing it did not impact the ability to retrieve reports. He said that by enumerating URLs, an attacker could retrieve millions of confidential COVID-19 test results. Each medical record contained information pertaining to the patient’s name, age, gender, partial home address, COVID-19 test result, date of the test, report identifier and even identifying details for the lab where the test was conducted, Majumder said.
Further Reading: