The Greater Chennai Corporation’s website leaked over 30,000 people’s personal information through e-passes, security researcher Robert Baptiste said on Twitter. The vulnerability left application forms and emergency movement passes issued by the authorities exposed. Baptiste, known better under his Twitter pseudonym Elliott Alderson, said that over 30,000 reserve volunteers’ data was also exposed. The vulnerability was first spotted by Twitter user KaruppuNerd on May 2.
Also i can access the 248 volunteers information with their personal information. pic.twitter.com/Oqr4N1no1e
— Nerd (@KaruppuNerd) May 2, 2020
The issue has been quickly fixed by @chennaicorp. Due to an IDOR, the e-pass were available publicly. Moreover, the Aadhaar numbers were hide in the pdf but not in the pass view. The details of all the volunteers were available too. Kudos to @KaruppuNerd who found these vulns https://t.co/SERtFNHEV2 pic.twitter.com/AJuEDnk7Rx
— Elliot Alderson (@fs0c131y) May 4, 2020
The corporation did not release a statement about the leak. We have reached out to them for more details on how the exposed data was secured, and what further steps they are taking to keep this information safe.
Privacy and COVID-19
- On March 26, the Karnataka government published a list of home addresses where people were placed under quarantine.
- On April 18, source code for a contact tracing app in the Netherlands leaked the personal information of 200 users.
- On April 26, it emerged that an Aarogya Setu vulnerability leaked users’ precise location data to Google when the self-assessment feature was taken in a specific way.