[ad_1]
NEW DELHI: Data of over 150 million Indians shared with the Aarogya Setu app runs a “significant risk of theft or abuse”, a security audit firm working with the ambitious contact-tracing programme has alleged, claiming that it was not heard when it warned the government on the potential weaknesses.
While the government was quick to dismiss the claims, published by security audit firm ShadowMap in a blog that has now been taken down, as “completely unethical and in violation of the terms of engagement with the project”, the issue assumes serious proportions considering the large amount of vital data that the app has gathered and possesses.
ShadowMap (digital risk management firm) is a sister firm of Security Brigade, a company which had originally worked on the network security aspects of the Aarogya Setu app.
In a blog post, Yash Kadakia, ShadowMap founder and Security Brigade CTO, said his company managed to get access into Aarogya Setu and was able to discover the source-code for entire platform, including back-end infrastructure.
The company said that by managing to pass the two-factor authentication process, it was able to access a host of critical technical data housed within the Aarogya Setu website.
In an official statement (that was withdrawn after the blog was taken down), the government had said that Security Brigade had “misused their engagement with Aarogya Setu code review”. The government claimed that a security audit of the app was also made through Data Security Council of India, and also by Security Brigade.
“Pulishing an article on issues that they came to know as part of the code review violates the basic principles of ethics and propriety and seems to be done with a malicious intent of creating a sensation and attract attention to the firm… (it) is complete breach of trust,” the statement said. ShadowMap, however, said that they had shared the breach with senior officials of government agencies. “However, we did not receive any response from them. The issue was silently fixed.”
While the government was quick to dismiss the claims, published by security audit firm ShadowMap in a blog that has now been taken down, as “completely unethical and in violation of the terms of engagement with the project”, the issue assumes serious proportions considering the large amount of vital data that the app has gathered and possesses.
ShadowMap (digital risk management firm) is a sister firm of Security Brigade, a company which had originally worked on the network security aspects of the Aarogya Setu app.
In a blog post, Yash Kadakia, ShadowMap founder and Security Brigade CTO, said his company managed to get access into Aarogya Setu and was able to discover the source-code for entire platform, including back-end infrastructure.
The company said that by managing to pass the two-factor authentication process, it was able to access a host of critical technical data housed within the Aarogya Setu website.
In an official statement (that was withdrawn after the blog was taken down), the government had said that Security Brigade had “misused their engagement with Aarogya Setu code review”. The government claimed that a security audit of the app was also made through Data Security Council of India, and also by Security Brigade.
“Pulishing an article on issues that they came to know as part of the code review violates the basic principles of ethics and propriety and seems to be done with a malicious intent of creating a sensation and attract attention to the firm… (it) is complete breach of trust,” the statement said. ShadowMap, however, said that they had shared the breach with senior officials of government agencies. “However, we did not receive any response from them. The issue was silently fixed.”
[ad_2]
Source link