CoWIN ‘data leak’: How a bot reignited privacy fears
The screenshots also carried details that purported to show where these people would have had their latest Covid-19 vaccine doses
Reports and screenshots by journalists and opposition politicians on Monday purported to show unauthorised access into a government database, possibly the Covid-19 vaccine booking service CoWIN, with sensitive personal information tied to any mobile phone number becoming available.
At risk may be personally identifiable information (PII) of millions of people, since the data appeared to include identity documents details of people who signed up to get Covid-19 vaccines – which can be booked only via the digital service.
Also read: Centre says CoWin portal completely safe, dubs reports of leak ‘mischievous’
What exactly happened
The screenshots showed responses from an automated, or bot, account on the messaging application Telegram. If someone fed the bot a phone number, it would be throw back PII such as full name, date of birth, identity document type and number, and the location of last Covid-19 vaccination associated with the mobile number.
For instance, according to screenshots shared by Trinamool Congress’s Saket Gokhale, this included the former Congress leader P Chidambaram’s birthday and Aadhaar card number, Rajya Sabha deputy chairman Harivansh’s passport number and Shiv Sena (UBT) MP Sanjay Raut’s Aadhaar number.
The screenshots -- the unredacted versions of some were seen by HT – also carried details that purported to show where these people would have had their latest Covid-19 vaccine doses. To be sure, to access this data, one would need to have the mobile phone number of a target.
What kind of security was meant to stop this?
CoWIN registration data is protected via an OTP-based authentication protocol. In a normal scenario, a CoWIN user is able to see their registration details and book a slot only when they have authenticated using an OTP sent to their mobile numbers.
The junior minister for technology, Rajeev Chandrasekhar, said the data appeared to come from a database compiled by a “threat actor” via previous breaches and that the CoWIN database was untouched.
In a separate statement, the Union health ministry, which handles the CoWIN service, said one-time passwords are required for people to pull the sort of data that the Telegram bot appeared to retrieve.
Did the ‘threat actors’ explain?
Yes, according to messages exchanged in a linked Telegram chat group, the developer of the bot indicated that they had indeed accessed the CoWIN database, but via a complicated back-door that – while not exactly breaking protocol of the vaccination service – leveraged a flaw in an unrelated government service that allowed them to successfully authenticate themselves.
At the heart of this is a computing protocol known as application programming interface, or an API, which lets one application, or programme, communicate with another. For instance, the weather application on your phone communicates via an API with an actual weather service, such as the India Meteorological Department.
In this case, the developer said they used details from a protected health ministry service that recorded details of auxiliary nurses and midwives, or ANMs, and used information from there to authenticate themselves successfully with CoWIN’s API.
The health ministry statement, however, said the Telegram bot was not communicating directly with the CoWIN API.
Is the breach ongoing?
The developer pulled the bot down shortly after the first reports about it emerged on Monday morning. After initially claiming the service will be brought back, the developer appeared to have had a rethink.
It is likely that the group was monitored and India’s Computer Emergency Response Team (Cert-IN) plugged the flaws that allowed for the unauthorised access to take place.
What are the implications?There is no guarantee that no other malicious actor would have figured out the same vulnerabilities to launch a similar operation. It was also not clear whether this particular person or group behind the bot mined the PII data.
Also read: TMC’s Saket Gokhale alleges data breach of senior politicians, others on CoWin
PII such as identity document details, when paired with key details such a mobile number, can help scammers and hackers launch attacks for identity theft and gain access to bank accounts and digital services like email and photo repositories. Such attacks if successful on people working in sensitive jobs or those who otherwise are in an influential position (such a s a politician or a celebrity) could involve a graver risk.
The government’s next steps
The health ministry said it has requested CERT-In to look into this issue and submit a report. “In addition, an internal exercise has been initiated to review the existing security measures of CoWIN,” it said in the statement.