A platform used by healthcare workers in the Philippines designed to share data about COVID-19 cases contained multiple flaws that exposed healthcare worker data and could potentially could have leaked patient data.
Vulnerabilities found in both the COVID-KAYA platform’s web and Android apps allowed for unauthorized users to access private data about the platform’s users and potentially patient data, according to a report from researchers at the The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto.
The Citizen Lab’s report is the latest example of how the COVID-19 pandemic has spurred a host of security problems for the healthcare sector to deal with – including securing data and ransomware attacks. In addition to opportunistic threat actors using the pandemic and related issues for their own gain in socially engineered phishing and other campaigns, the flood of new data related to the pandemic is also testing the security of systems used to store and share this data.
COVID-KAYA was deployed on June 2 to allow frontline healthcare workers in the Philippines to automate their collection and sharing of coronavirus case information with the country’s Department of Health. The app has web, iOS and Android versions and was built using Cordova, a cross-platform application development framework that allows developers to build applications using web technologies and then deploy the same code to both web and mobile platforms.
“Our analysis found that both of these versions of COVID-KAYA contain vulnerabilities disclosing data otherwise protected by ‘superuser’ credentials,” according to the report, written by Citizen Lab’s Pellaeon Lin, Jeffrey Knockel, Adam Senft, Irene Poetranto, Stephanie Tran, and Ron Deibert.
Researchers point to two vulnerabilities that have since been patched—one in the COVID-KAYA web app and another in the Android app—that attackers could have exploited to expose sensitive data from the system.
The web app’s flaw resided in its authentication logic. The vulnerability allowed “otherwise restricted access to API endpoints, exposing the names and locations of health centers as well as the names of over 30,000 healthcare providers who have signed up to use the app,” researchers said. They also said the app could have exposed sensitive patient data, although this remains unconfirmed.
Meanwhile, the COVID-KAYA Android app used hardcoded API credentials that also allowed access to the names of healthcare providers and potentially sensitive patient data as well, researchers wrote.
The Citizen Lab team disclosed the web app vulnerability to the app’s developers—including officials from Dure Technologies, the Philippines Department of Health, and the World Health Organization (WHO) Philippines–on Aug. 18, and the Android app’s vulnerability on Sept.14. Both flaws have been identified and patched as of Oct. 29, and any leaked credentials have been invalidated, researchers confirmed.
The authentication flaw in the web app stemmed from a login page used to authenticate valid users with a username and password. At first sight it appeared that the page functioned normally; if someone signed in with an invalid username and/or password, it let the person know, researchers reported.
“However, in our testing, we found that, after attempting to sign in with an invalid username or password, the web app appeared to grant us, without notification, access to API endpoints and tools normally unavailable to users who were not logged in,” researchers wrote. “These API endpoints and tools were easily discoverable.”
For example, the team discovered an API endpoint by taking the publicly accessible end point for resetting a user’s forgotten password and then deleting part of the URL. The new URL redirected them to a page that appeared to be a master directory of API endpoints, one of which seemed capable of enumerating all enumerating all 30,087 (at the time of access) users of the app, researchers said.
Further modification of the URL allowed them to access the system and view all the health centers and healthcare providers were affiliated with the app, as organized by country and city, as well as access other sensitive data, researchers said.
In their analysis of the COVID-KAYA Android app version 1.4.7, researchers found a flaw in how a source file of the app’s source code handled hard-coded credentials used for accessing the web interface of the system’s dashboard. The vulnerability could be used to access sensitive data from API endpoints by allowing unauthorized log-in to the log in to the dashboard, researchers said.
Two weeks ago, another COVID-19-related data breach occurred when a cyber-attack hit COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories, the contractor for Russia’s “Sputinik V” COVID-19 vaccine, which is about to enter Phase 2 human trials. The company shut down its plants in Brazil, India, Russia, the U.K. and the U.S. as well as isolated data-centers services to apply remediations.