Many companies and governments have collaborated on the development of apps and websites that offer a fast and convenient way to identify coronavirus symptoms. Jio, the largest mobile telecommunication services provider in India, had released a coronavirus symptom checker app several weeks ago before the government announced a nationwide lockdown.
Users could also use a website-based app available on the official Jio website to perform the check. A controversy has been sparked after it was revealed that a security issue offered access to one of the core databases without the need to use a password. A security researcher signaled the vulnerability, and Jio took the base offline as soon as contact was established.
Jio fails to secure a coronavirus symptom checker database
The database was a part of a logging server and contained several million logs and records that have been stored since April 17. Some were related to website errors and a vast array of other system notifications, but there was also a significant amount of user-generated data.
Self-tests archived in the database included important information. For example, if the primary device owner was the one who took the test or a relative, along with age and gender. Data related to the user agent, the version of the browser used to access the service, and the operating system was also cached to offer a superior user experience. Still, such details can also be employed to track the user activity in time. In some cases, the exact location of the user also stored if permission was granted manually.
Someone with access to the Jio database could have used the latitude and longitude record to pinpoint the address of the users who shared their location. Most of the location data is located near is associated with major Indian cities, but the platform was also accessed by people from the UK and the USA.