New Delhi: A cyber security firm said on Wednesday that it stumbled upon large parts of the government’s contact tracing app Aarogya Setu’s code and back-end components that could jeopardise the privacy of 150 million users after a government website appeared to have inadvertently uploaded log-in credentials used by the developers, triggering a war of words with the government before both sides retracted their claims.
On Wednesday afternoon, threat intelligence firm Shadow Map said in a blog post published on its website that it found the log-in credentials used by developers of Aarogya Setu sitting, possibly by accident, on a government website, allowing them to gain access to large parts of the code and other software infrastructure that, if accessed by hackers, could expose location, contact, and health data of the users.
The blog post refers to events that happened in late June, and added that the issue was fixed a day after Shadow Map pointed it out to the relevant authorities.
In a widely circulated statement on Wednesday evening, the government called the claims “malicious, nefarious and unsubstantiated” and assured users that no data has been compromised due to the alleged vulnerabilities. It also said it would pursue legal action against the company. Shortly after, Shadow Map took down the blog post, and the government retracted its statement.
“We assure users no data was compromised and we will look into this incident in entirety and take action as per the law,” said Abhishek Singh, CEO of MyGov, the government agency spearheading the project. Singh added that the statement was being retracted since the blog had been pulled down.
Aarogya Setu is a mobile phone-based contact-tracing application meant to identify people with Covid-19, but has been criticised by privacy experts for collecting excessive amounts of data, while cyber security analysts have also flagged endemic issues in India’s cyber hygiene that could expose such data to malicious actors, including state-backed hackers.
In the now-retracted blog post , Shadow Map gave what appeared to be details with screenshots of how it found “the source code for the Aarogya Setu platform including its back-end infrastructure being exposed on the public internet”, citing in particular the discovery of log-in credentials used by the developers on GitHub.
GitHub is a code-sharing platform that is often used by programmers to work on software they are building.
The discovery was part of internal research to scan government websites for publicly accessible data, the researchers said, adding: “On the 23rd of June, while analysing the data from this GOV.in scan, we noticed that one of the Aarogya Setu servers had been recently updated and one of its developers had accidentally published their Git folder into the public webroot, along with the plain-text user name and password details for the official Aarogya Setu GitHub account.”
This, the researchers went on to say, allowed them to access the code stored on GitHub, which in turn gave previously undisclosed details about how the platform is designed, including the role of private operators, and access to “authentication keys” that could potentially enable access to user data.
“A malicious user that gets access to GitHub or their cloud platforms could easily introduce malware into the app that would then be served to all 150 million users,” Yash Kadakia, founder of Shadow Map, told HT over phone in the afternoon.
To these claims, Singh said the disclosures “were very unethical and unprofessional act of a firm that was involved in security audit of the app”.
In the statement issued by the ministry of electronics and IT, before it was retracted, the government accused Security Brigade – the parent company of Shadow Map — of violating its terms of engagement on the Aarogya Setu project.
“Security Brigade, a CERT-In empanelled agency, was one of the reviewers of Aarogya Setu code and confidential information relating to the code was shared with the firm. In all such reviews and audits, the expectation is that they will conduct the review professionally and will maintain confidentiality. Now publishing an article on issues that they came to know as part of the code review violates the basic principles of ethics and propriety,” it said.
Security Brigade rejected the allegation and reiterated the information was based on code accessed as a result of the leak of the GitHub credentials on a government website.
“Aarogya Setu reached out to six organisations and shared their Android source code for review prior to their press conference announcing the bug bounty program. Of course, this Android source code was then made publicly available for all on Github and has absolutely nothing to do with the article we have published. The code we discovered and responsibly reported to NIC was related to other internal components which have not yet been made public. These were accidentally exposed due to their security lapses in the Aarogya Setu infrastructure,” Shadow Map’s parent company Security Brigade said in response to the government’s statement.
In the blog post, Shadow Map cited the data available on GitHub and the source code showed “several private organisations are heavily involved in the development and management of the Aarogya Setu platform”. This, they said, raised concerns around how much access individuals or private organisations had to the massive amounts of personal data.
All of these details, the researchers added in the blog post as well as their subsequent statement, were “responsibly shared with senior members of the NIC, CERT and key stakeholders from the Aarogya Setu team”. They added: “However, we did not receive any acknowledgement or response from them. The issue was silently fixed the next day.”
Other cybersecurity and technology policy experts said the findings reported by Shadow Map, if true, were worrying. “The initial error, exposing the Github credentials, is a very big mistake from the Aarogya Setu devs (developers),” said Baptiste Robert, a programmer who has previously reported vulnerabilities in the Aarogya Setu app as well as government websites that leaked sensitive user data.
Robert said a particular technical aspect of the purported finding would be significant if true. This was in reference to Shadow Map finding an “authentication key” that could enable access to the database of Aarogya Setu. “This is pretty huge because with this key, they can read/write the content of the database.”
Shadow Map in its blog post said it did not use the key to access the database and a spokesperson said the company was not aware if any hackers had carried out such a breach.
“To my understanding, Shadow Map indicated that through private keys hardcoded in repositories, it is possible to generate access tokens that can in turn be used to read, write, update and delete data stored in the Firebase (the service hosting the database). This is extremely worrying, as this would open up the possibility of malicious actors being able to tamper with the app’s data, which clearly includes sensitive personal information (such as phone numbers, travel history, information about personal health) of millions of people using the app,” said Gunjan Chawla, programme manager, technology and national security at National Law University, Delhi’s Centre for Communication Governance.
She added that if true, the incident also reflects poorly on cyber hygiene practices in India. “It is meaningless to encrypt databases if the decryption key is visible to any person viewing the source code. Other than passive profiling of citizens by adversarial countries, a malicious actor could even simply change a high risk case to a low risk, or vice versa to sabotage government attempts at containing the pandemic. Given these risks, it is surprising the app is not being treated as Critical Information Infrastructure,” she said.