Flaw in Philippines’ contact-tracing app served up data on 30K health care providers, research finds
A web and mobile phone application that the Philippines government uses to track coronavirus cases contained a flaw that could have allowed access to the names of tens of thousands of health care providers that use the app in that country, according to new research.
The flaw has been fixed, but it stands out as another cautionary tale of how software tools used to combat the pandemic can open up new fronts in data insecurity.
Multinational company Dure Technologies and officials from the World Health Organization and the Philippines Department of Health developed the app to efficiently report COVID-19 cases and help with contact tracing, and released it in June. But when researchers from the University of Toronto’s Citizen Lab investigated the app’s code, they found pressing security issues.
A web version of the app, which is known as COVID-KAYA, had a flaw in its authentication logic that revealed the names of over 30,000 health care providers signed up for the software, the researchers said. The Android version of the app was buggy, too: It allowed outsiders to access its internal programming interface, the inner hub of the software. The researchers confirmed in late October that Dure Technologies fixed the flaws.
But the bigger issue is the potential foothold that the app could have provided an attacker.
“We are concerned but did not confirm that an attacker could also leverage this vulnerability to cause the app to reveal sensitive patient data,” Citizen Lab researchers Pellaeon Lin, Jeffrey Knockel, Adam Senft, Irene Poetranto, Stephanie Tran and Ron Deibert wrote in a blog post.
The Philippines has reported some 7,700 deaths from COVID-19 and 401,000 coronavirus cases, according to Johns Hopkins University data. Infections from the virus have gradually climbed for months in the Southeast Asian country.
Months into the pandemic, contact tracing apps are a staple of digital life around the world. And like any software, researchers are continuing to find bugs in them that might create bigger surveillance issues. An Amnesty International study released in June found privacy concerns in 11 such apps introduced in places as far-flung as Iceland and Bahrain.
“Even under normal circumstances, the app ecosystem is often highly insecure as a result of the collection and storage of personal data,” the Citizen Lab researchers wrote. “Given the urgency and rapid pace of development around COVID applications, these privacy and security issues are likely to be magnified.”
Dure Technologies did not respond to a request for comment Wednesday on Citizen Lab’s findings.