Phone numbers and names of people getting COVID-19 tests were left exposed to on a Karnataka government website for several months. Anyone with a little bit of programming experience could, in theory, get these sensitive details off of the Karnataka COVID War Room website. This mechanism was disabled earlier this week, after a city-based Twitter user and media outlets highlighted the issue. Additionally, MediaNama has learnt that the website will soon have an OTP-based authentication system to address further privacy concerns (more on this further down). The website, launched in August this year, was meant to serve as means for people to access their COVID-19 results easily. People who have undergone a test are given a specimen referral form (SRF) ID. Users have to enter this 13-digit SRF ID, along with a CAPTCHA, and they get the result, along with their names. However, as Twitter user Shashi Kumar found out this week, the can reveal a lot more with a bit of nudging: The SRF IDs are the only information needed to check results. Additionally, they are not generated randomly but sequentially, i.e., if your ID is 001, you can add "1" and check the result for patients with SRF IDs 002, 003 and so on. Essentially, the website allows to you access test results of other people, without any authentication. To make things worse, the website code used to run an application programming interface (API) that could fetch additional details of the person such as their age, gender and…
