COVID-KAYA, a platform used by healthcare workers to collect and share COVID-19 cases with the DOH could have leaked names and locations of more than 30,000 frontliners. Attackers could have also used the vulnerability to see sensitive patient data.
Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto (https://citizenlab.ca/) recently released a report titled Unmasked: COVID-KAYA and the Exposure of Healthcare Worker Data in the Philippines.
Key finding of the report says that the platform used by the country's DOH "contained vulnerabilities in both the web and Android apps that allows for unauthorized users to access private data about the app’s users, and potentially patient data."
Launced in June 2, 2020 the DOH said COVID KAYA will help deliver fast, accurate, and real-time data report on Covid-19, it would help collect data and at the same time, address information gaps related to Covid-19. Monitoring would be faster using Covid Kaya as the system automates data collection used by frontliners in submitting COVID-19 case data reports.
“Ang COVID-KAYA ay isang electronic case investigation form na ginagamit ng ating mga facilities. Dito ay makakapag-input ang mga facilities ng kanilang detalye regarding sa mga pasyente na maaaring makita ng ibang facilities,” DOH Undersecretary Maria Rosario Vergeire said. COVID KAYA was developed and made by the World Health Organization (WHO) in coordination with the Department of Information and Communications Technology (DICT).
On August 18, 2020, Citizen Lab informed the developer of the App, the Department of Health and the World Health Organization Philippines that as a part of their research on the security and privacy of COVID-19 applications, they analyzed the web and Android versions of COVID-KAYA and found out that both "contain vulnerabilities disclosing data otherwise protected by “superuser” credentials." This means that anybody could access sensitive data within the system, details that are supposedly accessible only to select users.
Using the API for resetting a user's forgotten password, Citizen Lab was able to go inside a master directory of API endpoints. One such directory contains more than 30,000 users.
The researchers also warned that they "may not have been the first to have obtained unauthorized access to the web app in this fashion, which grants access to edit the profile of this user’s account. Thus, the web app may have been the subject of previous unauthorized access and attacks."
As of November 3, Dure Technologies, the developer of the app informed the Citizen Lab “… to confirm that the issue reported has been resolved and the application has been released to Playstore.”
Citizen Lab said it would continue to monitor COVID-KAYA and the StaySafe PH with a particular focus on the dangerous permissions the apps required
To read the key findings in Filipino, check https://citizenlab.ca/2020/11/covid-kaya-and-the-exposure-of-healthcare-worker-data-in-the-philippines-tagalog/