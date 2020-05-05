The Greater Chennai Corporation’s website leaked over 30,000 people’s personal information through e-passes, security researcher Robert Baptiste said on Twitter. The vulnerability left application forms and emergency movement passes issued by the authorities exposed. Baptiste, known better under his Twitter pseudonym Elliott Alderson, said that over 30,000 reserve volunteers’ data was also exposed. The vulnerability was first spotted by Twitter user KaruppuNerd on May 2.

2/n Also i can access the 248 volunteers information with their personal information. pic.twitter.com/Oqr4N1no1e — Nerd (@KaruppuNerd) May 2, 2020

Baptiste first tweeted about the finding at 6:31pm on May 4, and by 8:18pm, Chennai Corporation fixed the vulnerabilities. No dump of the exposed information has surfaced for the moment.

The issue has been quickly fixed by @chennaicorp. Due to an IDOR, the e-pass were available publicly. Moreover, the Aadhaar numbers were hide in the pdf but not in the pass view. The details of all the volunteers were available too. Kudos to @KaruppuNerd who found these vulns https://t.co/SERtFNHEV2 pic.twitter.com/AJuEDnk7Rx — Elliot Alderson (@fs0c131y) May 4, 2020

The corporation did not release a statement about the leak. We have reached out to them for more details on how the exposed data was secured, and what further steps they are taking to keep this information safe.

Privacy and COVID-19