The Greater Chennai Corporation’s website leaked over 30,000 people’s personal information through e-passes, security researcher Robert Baptiste said on Twitter. The vulnerability left application forms and emergency movement passes issued by the authorities exposed. Baptiste, known better under his Twitter pseudonym Elliott Alderson, said that over 30,000 reserve volunteers’ data was also exposed. The vulnerability was first spotted by Twitter user KaruppuNerd on May 2.

Baptiste first tweeted about the finding at 6:31pm on May 4, and by 8:18pm, Chennai Corporation fixed the vulnerabilities. No dump of the exposed information has surfaced for the moment.

The corporation did not release a statement about the leak. We have reached out to them for more details on how the exposed data was secured, and what further steps they are taking to keep this information safe.

Privacy and COVID-19

  • On March 26, the Karnataka government published a list of home addresses where people were placed under quarantine.
  • On April 18, source code for a contact tracing app in the Netherlands leaked the personal information of 200 users.
  • On April 26, it emerged that an Aarogya Setu vulnerability leaked users’ precise location data to Google when the self-assessment feature was taken in a specific way.