An independent researcher found that over 8 million COVID-19 test results have been exposed online due to a flaw in online system implementation. These test results have sensitive patient information like name, age, date and time of testing, partial home address, COVID-19 test result, date of the test, report identifier, and the location of the testing lab.
The data was hosted on a website belonging to the Health and Welfare Department of West Bengal, India.
The discovery of a leak had been shared with BleepingComputer by an independent security researcher Sourajeet Majumder.
“I have found an issue in an Indian Government site which is resulting in the leakage of test reports of EVERYONE who took a COVID-19 test in a particular state,” Majumder told BleepingComputer. The researcher refers to the Indian state of West Bengal.
The researcher suspected the number of exposed reports was over 8 million, he based his estimate on the information he found in a daily bulletin published by the government.
Majumdermanaged to spot the leakage by examining the text message sent to a COVID-19 test taker. He noticed the URL in the text leading to the result contained a base64-encoded report’s ID number (“SRF ID”) and suspected it can be abused to get other patients’ test data.
BleepingComputer analyzed the findings and confirmed the base64-encoded report number could allow anyone to access other patients’ COVID-19 test results.
BleepingComputer determined that the leaky endpoint was hosted on wbhealth.gov.in. The researchers immediately notified West Bengal’s Health and Welfare management. Although BleepingComputer did not hear back from the contacted personnel, the issue has been fixed.
The URLs previously leaking COVID-19 test data now returned a 404 (not found error).
Previously, Beeping Computer already reported that multiple Indian government websites are prone to leaking COVID-19 patient test data.