 "French hacker claims Pakistan's COVID-19 contact tracing app reveals patients' locations, govt denies claims")
A French ethical hacker has reported privacy flaws in Pakistan’s COVID-19 contact tracing app – _COVID-19 Gov PK –_via
a series of tweets. The hacker, Robert Baptiste, who goes by the
username Elliot Alderson, pointed out that the app has “hardcoded passwords, insecure connections, privacy issues and…nothing is okay with this app”. To recall, the same hacker
**also spoke to _Firstpost_ about India's _Aarogya Setu_** app. He had said that the Indian government must convince people of the app’s efficacy rather than force them to use it. In a series of tweets, he emphasised that COVID-19 Gov PK is “NOT” a contact tracing app. The hacker added that the app, “gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene”. Basically, it will show you the number of confirmed, critical, recovered, and fatal cases across the country in the past 24 hours. (Also Read:
Aarogya Setu, India's contact-tracing app, goes open-source ) [caption id=“attachment_4836531” align=“alignnone” width=“1280”] Representational image. PTI[/caption]
2/ This app, made by the Ministry of IT and Telecom with National Information Technology Board, is available on the PlayStore and has been downloaded more than 500,000 times.https://t.co/bdh1uimzan
— Baptiste Robert (@fs0c131y) June 9, 2020
The COVID-19 Gov PK app is developed by the Ministry of IT and Telecom alongwith the National Information Technology Board of Pakistan. It is now available on the Google Play Store and according to the tweet, it has been downloaded more than 5,00,000 times.
4/ When you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser / CovidApi!@#890# pic.twitter.com/tK2IzxzfkM
— Baptiste Robert (@fs0c131y) June 9, 2020
He also claims that “When you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser/CovidApi!@#890#”.
6/ The 1st request made by the app is, ofc, an insecure request pic.twitter.com/LK25DLKv1l
— Baptiste Robert (@fs0c131y) June 9, 2020
As per a report by Geo TV, a Pakistani news publication, hard-coded credentials — a password embedded into an app’s code for easy access by the developer — are a major security risk, as they are favoured by hackers who target them for access to the app itself, or worse, the device. It further added that ideally, these credentials should be removed before the app’s release, but are often left in from the development stage, onto production. Further, Alderson also reveals that the app asks for positions of the infected person on the map, and the request made by the app is “insecure”. He added that in the “Radius Alert” tab, “you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app”. Bye, bye privacy? At the end, the hacker tweeted, “Thanks for the good laugh, you are the worst #Covid19 app I analysed."
8/8 To sum-up, in "COVID-19 Gov PK" we found:
— Baptiste Robert (@fs0c131y) June 9, 2020
- hardcoded passwords
- insecure requests
- privacy issue
Thanks for the good laugh, you are the worst #Covid19 app I analysed https://t.co/IpxgMFaiJ3
Government’s take
Meanwhile, per the report by Geo TV, the National Information Technology Board (NITB) has refuted the claims by the French researcher, saying they were “incorrect”. As per the report, the press release said, “The purpose of the app is to stop the epidemic spread. A very limited personal information of the user is collected. The app does not show the exact coordinates of the infected people, instead, it shows the radius parameter that is fixed by default at 10 meters for self-declared patients and 300 meters at a quarantine location. Hence, self-declared patients have to give their consent to reveal their coordinates for the safety of other citizens. Moreover, they have accepted our app privacy policy/terms and conditions,”. It added, “No user login mechanism is present in the app. Therefore, the use of login and passwords are not part of app workflow. The screenshot mentioning the hardcoded password is the defined keyword to give more security to auto-token endpoint, so that endpoint can only be used from mobile apps.” “All our API’s communicate using HTTPS. Hence, security and protection of data of users as per international standards is of prime importance and implemented at the core,” it added. (Also read: 'Indian govt should convince public on Aarogya Setu's efficacy rather than forcing it on them': Cybersecurity expert Elliot Alderson tells Firstpost )
 "Charlie Kirk, shot dead in Utah, once said gun deaths are 'worth it' to save Second Amendment")
 "From governance to tourism, how Gen-Z protests have damaged Nepal")
 "Did Russia deliberately send drones into Poland’s airspace?")
 "Netanyahu ‘killed any hope’ for Israeli hostages: Qatar PM after Doha strike")
 "Charlie Kirk, shot dead in Utah, once said gun deaths are 'worth it' to save Second Amendment")
 "From governance to tourism, how Gen-Z protests have damaged Nepal")
 "Did Russia deliberately send drones into Poland’s airspace?")
 "Netanyahu ‘killed any hope’ for Israeli hostages: Qatar PM after Doha strike")
