Quote:Yet another human-related error — this time a flaw in a health department website in the state of Bengal, India — has exposed the confidential results of COVID-19 tests as well as personally identifying information (PII) for an entire geographic region’s population.
Test results related to more than 8 million people potentially were exposed before the agency fixed the error, according to a security researcher.
Sourajeet Majumder, a teenaged ethical hacker in India, noticed a flaw in the structure of a URL in a text informing someone of their test result from Bengal health authorities. It included a pathway for finding other people’s test results, according to a report in BleepingComputer. The error was eventually traced back to a faulty endpoint at the Health and Family Welfare Department of the state of West Bengal, according to the report.
Specifically, the structure of a URL in the text of the message just before providing the test result comprised a base64-encoded report ID number, which a threat actor could decode to construct new sets of URLs that would enable access to other test results, Majumder told the publication. In the case of the example shown in the report, the text “The Covid-19 Test Result of [Name]” was followed by the text “SRF ID 193” before showing the result as “negative.”
Majumder did some investigating and realized that the base64 encoding applied to the numeric identifier was optional, so removing it did not impact the ability to retrieve reports. He said that by enumerating URLs, an attacker could retrieve millions of confidential COVID-19 test results, according to the report.
Each medical record contained information pertaining to the patient’s name, age, gender, partial home address, COVID-19 test result, date of the test, report identifier and even identifying details for the lab where the test was conducted, Majumder said.
Read more: https://threatpost.com/health-website-le...st/164274/
![[-]](https://www.geeks.fyi/images/collapse.png)
