The story of misleading thousands of Indians by claiming Aarogya Setu has been hacked
On May 5th, 2020, a twitter user with the handle @fs0c131y starts creating a hype about “hacking” into the Aarogya Setu app (the contact tracing app by Indian Govt. to help defend Coronavirus).
At this point in time, the user had about ~150k followers on Twitter. Most of his followers are Indians due to the fact that in the last couple of years he claimed about “hacking into Aadhar” and that information has spread like wildfire with media covering it and reaching thousands of masses.
Soon after his tweet just like the last time the news spread as wildfire and people have already started uninstalling the application. 49 minutes after his tweet India’s Cert-In reached him to verify his claim, hours after that Aarogya Setu released an official statement saying this:
But it was too late by then, the news already reached millions of people, messages were spreading through family what's app groups, FB, and more. Well, me being from a security background I could easily understand what the issue is and I started telling my friends and family not to panic.
It’s scary to imagine If a person with 150k followers can do this, what can a person with 1m or 10m followers do?
There are already articles on explaining why these claims are not that serious and how actually contact tracing apps work.
The major claim did by him was changing a parameter value from a 5km radius to a 100km radius and get the details of affected people.
- The core feature of a contact tracing app is to identify potential diseased people around us.
- Increasing the radius value and getting more information can be a load issue on the server rather than a security issue. Since a user can still achieve this by walking down like he/she is playing pokemon GO or by even spoofing the GPS location.
Ordering from a food delivery app by changing the location from Hyderabad to Delhi and claiming that you know the delivery person’s name is not a security issue. In fact, it’s a feature.
There is always a discussion about usability and security. Security testers are those who forget the fact & features of an application whereas security engineers are the ones who closely understand the application features and design test cases around them.
A vulnerability is categorized or marked with severity based on confidentiality, integrity & availability. In simple terms what data is at risk, how much amount of data is at risk & how easily can it be exploited?
If you see the above screenshot a user can change the dist parameter value to 20, 30 or even 1000 KMS to get infected people in a certain radius. Now let’s ask ourselves a few questions before we judge the severity of the bug:
- Is the bug disclosing any PII — like Phone number, Aadhar number, etc? No
- Is the bug disclosing the exact locations of the victims? No
Now on the basis of this, you can easily tell that the bug that has been identified, is not a security concern and more of a usability bug and more of a product owner concern.
In the last few days, I have seen how the news was spread without actually confirming facts, feeding wrong information to common people who have no technical background, involving political agenda, etc.
I want to share what’s the situation right now
This is one of the worst pandemics we have faced in the last 100 years.
I want to share how important of a role does data play
We are living in an era of data, people are learning, discovering, creating things faster all thanks to data. The day when you start believing in this is the day you’ll see a difference in this world.
The article shows how important it is to stop coronavirus by identifying it in its very early stage by showing examples of China, South Korea, etc.
I want to share how important it is to be responsible
With great power comes great responsibility.
5th May is the date when he tweeted to Aarogya Setu, and on 6th May the news started spreading through media as well through social media platforms. Just in 3 days, his followers have increased by 60k followers all thanks to a very sensitive topic and the emotions of people.
With the increase of followers, I have also seen this person tweeting more on the same topic. It’s a simple logic to stay relevant and to make sure the hype is still up he might be doing this. But the thing is for how long will we encourage such things and risk millions of lives?
My request to all the people is to verify the information they get, be responsible use the app help the globe fight this pandemic, and all security folks to be responsible and disclose vulnerabilities.
I̶f̶ ̶y̶o̶u̶ ̶c̶a̶n̶’̶t̶ ̶t̶r̶u̶s̶t̶ ̶y̶o̶u̶r̶ ̶o̶w̶n̶ ̶g̶o̶v̶e̶r̶n̶m̶e̶n̶t̶ ̶d̶u̶r̶i̶n̶g̶ ̶a̶ ̶p̶a̶n̶d̶e̶m̶i̶c̶ ̶t̶h̶e̶n̶ ̶w̶h̶o̶m̶ ̶w̶i̶l̶l̶ ̶y̶o̶u̶?̶
The above statement about the Gov is stupid! I take it back
