Today Indian government’s Aarogya Setu is one of the world’s fastest growing mobile applications, with the app boosting $150 Mn users. The app’s massive traction is quite justified given that it is India’s official platform for tackling the COVID-19 pandemic crisis. Its critical functions include contact tracing, self-assessment chat bots, status updates, e-pass management, etc.
However, despite all the noble intentions Aarogya Setu app has been plagued with data privacy controversy from the day one of its launch. With the personal data and health details of more than 150 Mn Indians at stake, the cyber security experts and data privacy advocates are apparently right in raising concerns around this platform.
In a bid to address these concerns, Aarogya Setu’s Team open-sourced a limited part of its Android Platform and announced the Aarogya Setu Bug Bounty program in May. But turns out that the Android source-code released on Github as part of the bug bounty program has not been updated since 29th May. Furthermore, the current code on Github is meant for older version of the app (1.2.2) while the app has already moved to the latest version, 1.4.1 that was launched on 8th July.
Now we come to the main crust of the story, i.e. how ShadowMap got complete access to complete Source Code of Aarogya Setu & back end infrastructure. But before we start with the story here is a little info about ShadowMap. ShadowMap is a Risk Management Platform that uses AI and Deep web to continuously scan the internet and dark web to help in data monitoring, leaked credentials, cyber threat intelligence, monitoring dark web forums so and so forth. According to our information, the firm is based in Mumbai.
It should be noted that Techpluto came to know about ShadowMap’s tryst with Aarogya Setu source code and backend infrastructure when ShadowMap mailed Techpluto informing about the same.
Now coming to the actual anecdote, ShadowMap as part of its internal research report was recently scanning the all the govt.in domains to track all public exposures, data leaks etc. It then forwards this research report to CERT-In to help it in identifying and mitigating key risks pertaining to data leak, compromises across govt websites and digital assets.
While it was carrying out this project, one of ShadowMap’s team members on the 23rd of June noticed that one of the Aarogya Setu servers had been recently updated. But the more important thing he noticed was that one of its developers had accidentally published their Git folder into the public webroot, along with user name and password details for the official Aarogya Setu GitHub account. However, despite accidental disclosing username and password any layman would have still found it difficult to break into Aarogya Setu’s GitHub account since it prompts two-factor authentication. But ShadowMap’s team had recently discovered that by leveraging the Github API it can easily bypass the 2FA check. Well, ShadowMap team members decided to leverage the Github API and barely few minutes later they got access to Aarogya Setu’s GitHub account.
Now ShadowMap was able to access Aarogya Setu’s list of 10 repositories and were able to download the source code for the Aarogya Setu website. Along with this, ShadowMap also got access to Swaraksha portal, back-end APIs, web-services, internal analytics / correlation code, SQS Handler, OTP Service, etc.
ShadowMap claims that Git folder being published to the public internet is an extremely common problem nowadays that plagues every organization. It further adds that this underlying security issue confronting several organizations as well as in the case of Aarogya Setu is a strong indicator of that appropriate DevSecOps practices are not in use. The company also goes on to claim that the password being hard coded into the GIT configuration file indicates a lack of security awareness and controls.
ShadowMap shared all these details with NIC, CERT and key stakeholders of Aarogya Setu team but the company claims that it did not receive any response from the concerned parties. However, this did not stop Aarogya Setu team to quietly fix the problem the very next day as has been claimed by ShadowMap on its official blogpost.
ShadowMap claims private companies are involved in development & management of Aarogya Setu Platform
After having deeply analyzed the Aarogya Setu’s source code, ShadowMap has made the shocking claim that several private organisations are heavily involved in the development and management of the Aarogya Setu platform. The private player’s alleged heavy involvement essentially and certainly raises a red flag on Aarogya Setu’s data privacy capability. ShadowMap’s observations become even more critical as it claims to have found that private domains, sub-domains and servers are being used to host code & data from the Aarogya Setu infrastructure. Additionally, it observed that most of the developers working on the platform seem to be doing so using private Github accounts, private email accounts, etc.
In its blog post, ShadowMap goes on to make even more shocking claim by claiming that most of these private developers seem to have access to keys and credentials required to remotely access and modify any and all data stored within the Aarogya Setu platform.
In the blog post ShadowMap goes on to add that though a large part of the embedded secrets are stored in environment variables, it did find several secrets such as encryption tokens, passwords, etc hardcoded within the source-code itself. It also expressed surprise over the fact that Google Firebase Service Account Private Keys have not been revoked or changed even though it has been well over 45 days that ShadowMap disclosure about it getting access to Aarogya Setu’s source code.
Google Firebase is one of the industry recognized platforms and ShadowMap has touted that Google Firebase seems to have been used by Aarogya Setu to store information related to users, including the sensitive DID mapping, user status and other details.
However, the company has claimed that it did not actively try to use the Firebase keys to access user data. But it confirmed that it was very much possible to use the Firebase keys to generate access tokens that can in turn be used to read, write, update & delete data.
In the conclusion, ShadowMap has concluded that though Aarogya Setu app is burdened by several security issues and concerns plague, its fundamental problem pertains to the lack of transparency, third party assessment, audit trails, etc.