DATA SECURITY IN OUR COUNTRY IS A JOKE!

Karnataka Govt is leaking private info of those who got tested for COVID.

In this thread, I will share my experience with the COVID test and how I learned about the way our Govt is exposing our personal data.
I live in an apartment complex in Bangalore where to date only half a dozen COVID cases have been reported but last month a positive case was reported in my building.

The person was living just two floors above me.
Although I didn’t have any symptoms, having a positive case in my building had spooked me enough to get myself tested.

BBMP was conducting free COVID tests in our society for the past two weeks on every weekend.

Our society was also encouraging everyone to get tested.
Although I didn’t have any symptoms, having a positive case in my building had spooked me enough to get myself tested. BBMP was conducting free COVID tests in our society for the past two weeks on every weekend. Our society was also encouraging everyone to get tested.
Although I didn’t have any symptoms, having a positive case in my building had spooked me enough to get myself tested. BBMP was conducting free COVID tests in our society for the past two weeks on every weekend. Our society was also encouraging everyone to get tested.
I got myself tested on the 24th of Oct and I received this text message.

One of the volunteers who collected my sample told me that if my test is positive BBMP will call me otherwise I will get a text message with results within the next two days.
I got myself tested on the 24th of Oct and I received this text message. One of the volunteers who collected my sample told me that if my test is positive BBMP will call me otherwise I will get a text message with results within the next two days.
I got myself tested on the 24th of Oct and I received this text message. One of the volunteers who collected my sample told me that if my test is positive BBMP will call me otherwise I will get a text message with results within the next two days.
Now the waiting game begins. No text message/call for the next 2,3,4,5 days. Finally, I was pissed off and searched online if there is a way I can check my results manually.

Luckily, the Karnataka Govt had created a portal to get that info. The portal https://www.covidwar.karnataka.gov.in/service1 
Now the waiting game begins. No text message/call for the next 2,3,4,5 days. Finally, I was pissed off and searched online if there is a way I can check my results manually. Luckily, the Karnataka Govt had created a portal to get that info. The portal https://www.covidwar.karnataka.gov.in/service1 
Now the waiting game begins. No text message/call for the next 2,3,4,5 days. Finally, I was pissed off and searched online if there is a way I can check my results manually. Luckily, the Karnataka Govt had created a portal to get that info. The portal https://www.covidwar.karnataka.gov.in/service1 
As you can see, it asks for just your 13 digit SRF ID and a captcha. For the last two weeks whenever I have entered my id I used to get the message

“Check SRF ID entered. If it's correct then result awaited”.
My SRF ID was 2952502847151 so I thought let’s try for the next person to see if the site is actually working properly. It worked, the next person’s id 2952502847152 showed the following result.
So I guess, I am unlucky that I still haven’t received my test results. Out of sheer boredom, I thought let's check what’s happening in the background and this is where the whole fucked up coding came to my attention.

SLIGHT TECHNICALITY AHEAD
Once you press the Search button, in the background two steps are followed to display the result.

In the first step, they check the validity of SRF ID and captcha and also if the result is positive or negative.
Once you press the Search button, in the background two steps are followed to display the result. In the first step, they check the validity of SRF ID and captcha and also if the result is positive or negative.
Once you press the Search button, in the background two steps are followed to display the result. In the first step, they check the validity of SRF ID and captcha and also if the result is positive or negative.
If the result is negative, another request is made to an API with SRF ID as a parameter.

Here is the fucked up part. This API is public and it gives out all the personal details that they are not even showing on the website like contact no.

Great Job guys!
If the result is negative, another request is made to an API with SRF ID as a parameter. Here is the fucked up part. This API is public and it gives out all the personal details that they are not even showing on the website like contact no. Great Job guys!
If the result is negative, another request is made to an API with SRF ID as a parameter. Here is the fucked up part. This API is public and it gives out all the personal details that they are not even showing on the website like contact no. Great Job guys!
There is no limit to what you can do with this. You can just write a simple python script and run a loop over SRF IDS and you can have the entire database of all patients with their personal details in less than half an hour.

I tried that, it took me less than five minutes.
There is no limit to what you can do with this. You can just write a simple python script and run a loop over SRF IDS and you can have the entire database of all patients with their personal details in less than half an hour. I tried that, it took me less than five minutes.
There is no limit to what you can do with this. You can just write a simple python script and run a loop over SRF IDS and you can have the entire database of all patients with their personal details in less than half an hour. I tried that, it took me less than five minutes.
I informed the relevant authorities last night and they are working on fixing this.

Right now, they have disabled the API for everything so even if you enter everything correctly you can’t view the results. You can see the same script returning different results now.
My Questions:

How can anyone just view my covid test result without my consent? Why don't they authenticate using an OTP?

Why was it necessary to expose the contact details to patients?

Why can’t they put authentification in these APIs?

Why don't they hire better coders?
Imagine scammers getting hold of this data. They could have easily scammed people in this vulnerable state and the times we live in.

GOD SAVE US ALL!
You can follow @devzoy.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.