India COVID vaccine CoWIN portal leaks data; data of vaccine recipients exposed
Take action: Another prime example of unsecured API (although details are not available and likely won't be).
Learn More
The private information of numerous citizens of India who registered on the CoWIN app for COVID-19 vaccination has been leaked via a bot running in the Telegram app.
The bot expects a phone number to be entered and returns all data related to that phone number. Ordinarily, the data would be available only to a user after they enter a One Time Password sent to the phone number to verify the identity, but the developers of the bot obviusly found a vulnerablity that exposes the same information without OTP.
The leak is exposed via a Telegram bot disclosing personal details including:
- names,
- dates of birth
- phone numbers
- gender,
- passport numbers
- Aadhar numbers (unique ID that can be obtained voluntarily by the citizens of India and resident foreign nationals).
The breach also exposed details of family members registered under the same phone number;
Researchers and newspapers have verified the exposure by querying the bot with the phone numbers of prominent politicians from various parties. It was confirmed that their personal information were exposed, and screenshots of the responses shared on Twitter.
Despite the breach, the CEO of the National Health Authority, denied the possibility of a data breach and claimed that CoWIN has state-of-the-art security infrastructure.
According to the Health Ministry, the development team of Co-Win has confirmed that there are no public APIs where data can be pulled without an OTP. However there are some APIs which have been shared with third parties such as ICMR for sharing data, and one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar number.
It's stated that this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application.
The Ministry claims that "The data being accessed by a bot is from a threat actor database, which seems to have been populated with previously breached/stolen data. It does not appear that the Co-WIN app or database has been directly breached,”
