Ethical hacker Robert Baptiste on Wednesday alleged that security flaws in the coronavirus tracking app Aarogya Setu enabled him to see that five people at the Prime Minister’s Office (PMO) and two at the Army headquarters were unwell.Mr. Baptise, who goes by Elliot Alderson on Twitter, also claimed that there was “one infected person at the Indian Parliament and three at the Home office.
On Tuesday, he tweeted that there were security issues with the app. Tagging the official account of Aarogya Setu, he said, “A security issue has been found in your app. The privacy of 90 million Indians is at stake.
Can you contact me in private?”
‘Rahul was right’ He went on to add that former Congress president Rahul Gandhi, who had termed the app “a sophisticated surveillance system”, was right.
In response to the issues raised by Mr. Baptise, the team of Aarogya Setu, in a statement, said no personal information of any user was proven to be at risk.
ALSO READ
Never thought I would get so much love and support on TikTok - Niharika Jain
“We were alerted by an ethical hacker of a potential security issue of Aarogya Setu… No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified," the statement said.
Following this statement, Mr. Baptise tweeted that he was able to “... know who is infected, unwell, made a self-assessment in the area of his choice. Basically, I was able to see if someone was sick at the PMO or the Indian Parliament. I was able to see if someone was sick in a specific house if I wanted... This is the issue."
Ethical hacker Robert Baptiste, who alleged security flaws in Aarogya Setu, called for making the application’s source code open. “...When you ask (force) people to install an app, they have the right to know what the app is really doing. If you love your country @SetuAarogya, publish the source code,” he tweeted.
As per the statement issued by a team of Aarogya Setu, Mr. Baptise pointed out that the application fetched user location on a few occasions. However, Aarogya Setu said, “This is by design and is clearly detailed in the privacy policy.”
ALSO READ
10 Social Media Manager Kit to run Digital Marketing online
It noted that the application fetched a user’s location and stored it on a server in a secure, encrypted and anonymised manner “1) at the time of registration, 2) at the time of selfassessment, and 3) when the user submits his or her contact tracing data voluntarily through the app or when we fetch the contact tracing data after the person turns COVID19 positive”.
Further, the French hacker had said that a user can get the COVID19 statistics displayed on the home screen by changing the radius and latitude-longitude using a script.
The Aarogya Setu statement said, “The radius parameters are fixed and can only take one of the five values — 500 meters, 1 km, 2 km, 5 km, and 10 km. These values are standard parameters....”
It added that a user could change the latitude/longitude to get the data for multiple locations.
News source: The Hindu Delhi