In a rush job to release test results quickly, the government neglected to implement access control—a rudimentary part of good DevSecOps, resulted to have leaked COVID-19 test results.
Last week, the government of West Bengal was reported to have exposed COVID-19 test results of its citizens on its website.
The test results included the patient’s name, sex, age, postal address and the results of individual COVID-19 tests.
It is not clear how many results were exposed. The security researcher who found the flaw, Sourajeet Majumder, had said he was concerned “a malicious attacker could scrape the site and sell the data. This is a privacy violation if somebody else gets access to my private information.”
What could have happened in a government-level organization that requires the trust of its citizens and residents if it is to be of any cyber credibility? According to a senior security strategist from Synopsys Software Integrity Group, Jonathan Knudsen, it was a case of missing access control.
“With missing access control, anyone can view results for anyone else. Like most software, this application was probably built as quickly as possible with functionality being its only goal. We will stop seeing these kinds of headlines only when development teams include security at every phase of development.”
According to Knudsen, about 10 minutes of threat modelling during the application’s design would have made obvious the danger of the scheme for referencing results. “Designing a better access system would have added perhaps an hour or two to the development cycle. Like brushing your teeth or eating your vegetables, security needs to be a consistent habit with application development teams. For development teams, security is a habit that produces long-term positive results.”
People whose information has been exposed are advised to be wary of unsolicited emails or telephone calls that have may include personal information such as address, age, and other personal details. They should also warn their contacts and loved ones not to fall for convincing phishing messages and emails that leverage the personal information.