Since the outbreak began, governments and companies have begun developing applications and websites that can help users identify the symptoms of COVID-19.
India’s largest cellular network, Jio, a subsidiary of Reliance, has launched a coronavirus self-test symptom program in late Marchshortly before the government of India introduced strict nationwide lock prevent further spread of coronavirus. The Symptom Checker allows anyone to check their symptoms from their Jio phone or website to see if they have become infected with COVID-19.
TechCrunch discovered that due to a security error, one of the main symptom-checking databases was connected to the Internet without a password.
Security researcher Anurag Sen discovered the database on May 1, immediately after its release, and told TechCrunch to notify the company. Gio quickly shut down the system after TechCrunch made contact. It is not known if anyone else has accessed the database.
“We took immediate action,” said Jio spokesman Tushar Panya. “The registration server is designed to monitor the performance of our website and is intended for a limited number of people who conduct a self-test to find out if they have any symptoms of COVID-19.”
The database contains millions of logs and records from April 17th until the time the database was disconnected. Despite the fact that the server contained the current error log of the website and other system messages, it also received a huge amount of user self-test data. Each self-test was registered in the database and included a record of who was tested, for example, “I” or a relative, their age and gender.
This data also included the user user agent, a small piece of information about the user’s browser version and operating system, which is often used to load the site correctly, but can also be used to track user activity on the Internet,
The database also contains separate records of those who signed up to create a profile, which allows users to update their symptoms over time. These notes provided answers to every question posed by the symptom checker, including the symptoms they encounter, who they interacted with, and what health problems they may have.
Some entries also contained the exact location of the user, but only if the user allowed the symptom controller access to their browser data or phone location.
We published an edited part of one of the entries below.
From one sample of the data we received, we found the exact geolocation of thousands of users from all over India. TechCrunch was able to identify people’s homes using the latitude and longitude data found in the database.
Most of the location data is centered around large cities such as Mumbai and Pune. TechCrunch also found users in the UK and North America.
The exposition could not come at a more critical time for the Indian telecommunications giant. Facebook invested last week 5.7 billion dollars for a nearly 10% stake in Jio Platforms, Reliance’s subsidiary is worth about $ 66 billion.
Gio did not answer our subsequent questions, and the company did not say whether she would report a security error to those who used the symptom tracking system.