Indonesia is currently looking into a potential security flaw in a COVID-19 test-and-trace app that exposed 1.3 million people’s health status, contact information, Personally Identifiable Information (PII) data, COVID-19 test results, and other information.
The Electronic Health Alert Card, or eHAC, app is said to be required for all visitors entering Indonesia from outside the country, both Indonesians and foreigners. It is also required for domestic flights within Indonesia.
The exposed database was apparently discovered as part of a large web mapping project by the vpnMentor research team. Their researchers search for unsecured data stores containing sensitive information using large-scale web scanners. They then search through each data store for evidence of data leakage.
The eHAC database was accessible to their team because it was completely unsecured and unencrypted.
“Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial business,” said the vpnMentor research team. “As ethical hackers, we’re obliged to inform a company when we discover flaws in its online security. We reached out to the various parties responsible for eHAC to inform them about the vulnerability and suggest ways to secure their system.”
According to Anas Ma’ruf, a Health Ministry official, the potential data leak was from an earlier version of the app. “The eHAC from the old version is different from the eHAC system that is a part of the new app,” he said. “Right now, we’re investigating this suspected breach.”
Anas urged people to delete the old app and speculated that the breach could have been caused by a partner but he did not elaborate. He stated that the government now manages the current eHAC system and that its security is "guaranteed."
The eHAC system is now integrated into the Peduli Lindungi (Care Protect) app, which the government has promoted for tracing purposes such as mall entry.
Was Security not a Priority?
CSA reached out to Ian Hall, Head of Client Services, APAC, at Synopsys Software Integrity Group to share his views on this matter, and he stated that while it is commendable that governments around the world have rushed to develop apps – for track-and-trace, vaccine passports, tracking users in quarantine, and more – in response to COVID-19, security is oftentimes not at the forefront of developers’ minds, which leads to insecure practises, as was the case with this eHac app.
According to Ian, security is an aspect that should be thought of right from the design phase through to post go-live monitoring. In this case, it appears that a database with an array of data, including PII was left exposed. “The good news is that it was identified by an ethical hacker and reported to the developer. At this time, we don’t know if a malicious attacker had identified the database as well and accessed the data,” he said.
Furthermore, Ian added that developing and deploying quickly is one of the key goals of the DevSecOps movement in modern software development. However, it is important to also have the necessary monitoring in place to detect security issues and then triage, fix, test, and re-deploy.
Ian shared that “From the description that vpnMentor provided, it appears that this area could have been improved. Further improvements could also have been made in the turnaround time for taking the database offline since the initial disclosure was also made to the developer about a month ago.”
vpnMentor mentioned that a data breach issue can sometimes be resolved quickly but this is extremely rare. Instead, it often takes days of investigation to figure out what’s at stake or who’s leaking the data.