게시일: 2020. 11. 11 오후 3:15:14
Philippines COVID-KAYA app allowed for unauthorized access typically protected by ‘superuser’ credentials and also may have exposed patient data.
A platform used by healthcare workers in the Philippines designed to share data about COVID-19 cases contained multiple flaws that exposed healthcare worker data and could potentially could have leaked patient data.
Vulnerabilities found in both the COVID-KAYA platform’s web and Android apps allowed for unauthorized users to access private data about the platform’s users and potentially patient data, according to a report from researchers at the The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto.
The Citizen Lab’s report is the latest example of how the COVID-19 pandemic has spurred a host of security problems for the healthcare sector to deal with – including securing data and ransomware attacks. In addition to opportunistic threat actors using the pandemic and related issues for their own gain in socially engineered phishing and other campaigns, the flood of new data related to the pandemic is also testing the security of systems used to store and share this data.
“Our analysis found that both of these versions of COVID-KAYA contain vulnerabilities disclosing data otherwise protected by ‘superuser’ credentials,” according to the report, written by Citizen Lab’s Pellaeon Lin, Jeffrey Knockel, Adam Senft, Irene Poetranto, Stephanie Tran, and Ron Deibert.
Researchers point to two vulnerabilities that have since been patched—one in the COVID-KAYA web app and another in the Android app—that attackers could have exploited to expose sensitive data from the system.
The web app’s flaw resided in its authentication logic. The vulnerability allowed “otherwise restricted access to API endpoints, exposing the names and locations of health centers as well as the names of over 30,000 healthcare providers who have signed up to use the app,” researchers said. They also said the app could have exposed sensitive patient data, although this remains unconfirmed.
Meanwhile, the COVID-KAYA Android app used hardcoded API credentials that also allowed access to the names of healthcare providers and potentially sensitive patient data as well, researchers wrote.
The Citizen Lab team disclosed the web app vulnerability to the app’s developers—including officials from Dure Technologies, the Philippines Department of Health, and the World Health Organization (WHO) Philippines–on Aug. 18, and the Android app’s vulnerability on Sept.14. Both flaws have been identified and patched as of Oct. 29, and any leaked credentials have been invalidated, researchers confirmed.
...이하 자름
Elizabeth Montalbano, 11/11, 2020
===========================
간단요약 :
필리핀의 코로나 관련 건강관리 앱의 환자(유저)정보들이 유출됨.
웹 앱과 안드로이드 앱이 있는데, 안드로이드 앱은 더 심각하게 유출될 수 있었음.
===========================
느낀 점 : 지금은 코로나-19의 여파가 사회에 들이닥친 지 꽤 오랜 시간이 지났지만, 만약 코로나 창궐 초기였다면 이런 건강관리 앱 제작이 시급했을 것이므로 정보보안에 관해 신경쓰기 더 힘들었을 것이란 생각이 들었다. 그럼에도 개인정보 유출은 크고 작은 피해로 번질 수 있으므로 언제나 신경 쓸 요소이기 때문에 앱 개발자는 앱 제작에 있어 다면적인 관점을 지녀야 할 듯하다.