wordpress blog stats
Connect with us

Hi, what are you looking for?

Aarogya Setu code on GitHub is ‘test backend code’, not ‘production code’, says NIC-CERT

Aarogya Setu
Credit: Aditi Agrawal

In response to MediaNama’s queries about security vulnerabilities in Aarogya Setu, as reported by Security Brigade in their now removed blog post, NIC-CERT directed us to Security Brigade’s updated blog post which reads: “The code that was published on GitHub was a test backend code and not the production code.” The updated blog post was written, “after consultation with relevant stake holders [sic]”.

It is understood that the code in question is the one that Shadow Map’s scans accidentally found on June 23. It was in this code uploaded on June 23 that Shadow Map had discovered hardcoded credentials, including plain text username and password, to the Aarogya Setu GitHub account.

The updated blog post also mentions that when Security Brigade flagged the issue to NIC and NIC CERT on June 23, the issue was fixed within 24 hours which “in itself is commendable and is significantly better than the industry average of 36 days to fix reported issues”. This resolves two questions — if the issues that Security Brigade highlighted actually existed, and whether or not Security Brigade had informed the authorities. The company had informed and as stated in the original blog post (that has now been taken down) and the authorities fixed them quietly. This was the issue around a developer’s credentials being hardcoded in the public code.

Read more: Unravelling the claims over Aarogya Setu’s vulnerabilities

Security Brigade’s updated post states that they had taken care to access “absolutely no data” as part of this process, something they had mentioned in the original blog post as well. “Further, since the code was not the production code, it was not possible to access any user data or backend services. We can unequivocally state that no data was breached nor could it have been,” reads the updated blog post.

Advertisement. Scroll to continue reading.

This updated blog post also suggests that Security Brigade had not abused the access given to it by the government, contrary to what Abhishek Singh, the CEO of MyGov and NeGD, had alleged in a conversation with MediaNama. We have still asked NIC CERT to confirm that.

We have re-sent NIC CERT our unanswered questions:

  • Has CERT-In been working with Shadow Map on an internal research project to map all GOV.IN assets?
  • Has the issue around Google Firebase Private Keys been resolved? As per the original post, the keys had not been changed even after 45 days and were active when the post was published.
  • Did CERT or any other government agency sign a contract with Security Brigade about their work on Aarogya Setu?
  • When was Security Brigade hired to work on Aarogya Setu?

We are still waiting for responses from NIC, CERT-In and Singh.

Disclosure: MediaNama had cross-posted Security Brigade’s original blog on August 12 but took it down at the author’s request.

***Update (August 14, 2020 10:32 am): Updated with clarification about the code in question. Originally published on August 14 at 7 am.

Advertisement. Scroll to continue reading.
Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India and US come to terms on how to deal with the equalisation levy in light of the impending Global Tax Deal.


Find out how people’s health data is understood to have value and who can benefit from that value.


The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ