Security loopholes in Jio’s Coronavirus Symptoms checker tool reveal results

Reliance Jio COVID-19 Symptoms Checker Tool

Since the COVID-19 outbreak has started governments and companies around the world are rushing to develop web tools and applications that can help in identifying the Coronavirus symptoms.

Reliance Jio — India’s largest telecom network also launched its coronavirus self-test symptom checker in late March, just before the Government of India imposed a nationwide lockdown to curb the spread of the virus. The symptom checker on Jio’s website and My Jio App works the same way as other self-testing symptom checker that allows users to see if they are infected with COVID-19.

But a major security lapse in the symptom checker of Jio gave access to the core database with almost all data of users without even a password as reported by security researcher Anurag Sen who found the database on May 1st and later he informed TechCrunch to notify the company, then the company quickly pulled the system offline. But there are no details that the database was accessed by anyone else.

“We have taken immediate action,” said Jio spokesperson Tushar Pania. “The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms.”

The exposed database contains million of logs and records from April 17 till the time the database was pulled offline, while the server contained a running log of website errors and other system messages, it also had a large number of user-generated self-test data.

Each self-test data with a record was stored in the database which also includes who took the test— such as “self” or a relative, their age, and their gender.

The stored data also includes a user’s browser version, operating system simply this data helps in loading the website properly but the same data can be used to track a user’s activity.

Furthermore, the database also contains individual records if a user signed up and created a profile that allows them to update their symptoms time over time. The records also include answers to each question that are asked in the symptom checker tool, and if the users allowed the tool to access the location data his or her precise location is also stored in the database.

A redacted portion of the exposed database of Jio's Coronavirus Symptom Checker tool.
A redacted portion of the exposed database of Jio’s Coronavirus Symptom Checker tool (source: TechCrunch)

One of the samples obtained from the database includes precise geolocation of thousands of users in India that can be used to identify people’s homes using the latitude and longitude on any Maps service. Most of the location data is the cluster around major cities of India like Mumbai, Pune, and Delhi. TechCrunch also found data of some users in the United Kingdom and North America.

This security lapse comes at a critical time when the company has just signed a $5.7 billion investment deal with Facebook for 10% stake in Jio’s platforms.

Leave a Reply

%d bloggers like this: