Renowned Ethical Hacker Baptiste Robert aka Elliot Alderson (twitter.com/fs0c131y) has found a security issue in the Aarogya Setu COVID-19 contact tracing app developed by the Government of India that privacy issue of the sensitive data of 90 million users registered on the app.
In a series of tweets, he informed Aarogya Setu’s official twitter handle that the app has a security issue and he has the power to access the data of 90 million Indians.
He also mentioned Rahul Gandhi, INC MP from Wayanad district of Kerala who raised issue the the app has security issue and it can be used as a surveillance system.
The Hacker did not disclosed the issue yet as the CERT-IN and NIC contacted him within 49 minutes of the tweet.
He was preparing for the hack from a short time and hacked it within five hours with the use of a valid Indian mobile number that is not registered on the app.
Response from Aarogya Setu:
After contacted with the hacker, in some hours Aarogya Setu teams posted a message on social media about the data security of the app.
The app developers said that its contact-tracing app Aarogya Setu “by design” collects the location data of its 90 million users and allows them to view the concentration of people who have tested positive for the COVID-19 in their vicinity.
In reply to which the hacker said you said “nothing to see here”
We will see. I will come back to you tomorrow.
And later posted a tweet
We expect more details will be revealed soon.
Findings revealed by the Security Researcher:
His full findings can be read on this article published on Medium.
This is not the first time the twitter handle has informed about security issues in public databases in India, he has also informed about security issues in the UIDAI (Adhaar Card) which led to massive outrage.