The critical vulnerability in the My eHealth application – a leak of the Slovak database of patients tested for COVID-19
In the Moje eZdravie application, we identified a trivial vulnerability that allowed us to obtain personal information about more than 390,000 patients who were tested for COVID-19 in Slovakia (for the demonstration we managed to get personal information about more than 130,000 patients, of which more than 1600 COVID-19 positive).
The personal information obtained for each patient includes:
- Birth number
- date of birth
- mobile number
- place of residence
- information on clinical symptoms (pneumonia, fever, cough, malaise, rhinitis, headache, joint and muscle pain)
- code of samples
- the date of exact collection
- the name laboratory that performed the test
- the applicant’s medical doctor
- the protocol number
- the date of receipt and examination
- the types of test and
- the COVID-19 result.
Description of the vulnerability
The misuse of this vulnerability leading to the leakage of more than a quarter of a million personal data and the results of COVID-19 tests to Slovak citizens was possible due to the following factors:
- A leak of API format to public search engines (which indexed it)
- Possibility of unauthorized access to API calls, which allowed access to sensitive information without any authentication
- Ability to get information about all patients by simply enumerating a numeric identifier
- The absence of any mechanisms that would prevent the massive download of this data
- All data was in the unencrypted (in “plaintext”)
Obtaining a database of patients tested for COVID-19
The attacker was able to access the data of all patients without any authentication and also without special technical knowledge. The script for obtaining data on all patients in XML format is completely trivial:
for (( i=8966; i < 391000; i++ )); do
Therefore, no special exploit was needed to obtain the entire database of tested patients.
The data information and potential misuse
- We downloaded a large enough sample of random data and analyzed that these were truly unique records
- Based on numeric identifiers, we detected at least 391250 valid records (according to https://korona.gov.sk/ there are currently 393486)
- We identified completely fresh records of tested patients (a few hours before the vulnerability was corrected)
- The first record had the ID 8966
- Leaked information such as name, surname, birth number, date of birth, gender, mobile number, place of residence or email can be misused for sophisticated targeted attacks by social engineering (phishing, vishing and others). By using other available information as a test result, information about the health insurance company or the name of the laboratory that performed the tests, it is possible to carry out sophisticated targeted “scam” attacks.
Responsible disclosure of the vulnerability
Because this was sensitive data for a large part of the Slovak population, we reported this vulnerability through the official CSIRT channel 13th of September 2020 at 23:30. The vulnerability was fixed on the 16th of September around 16:30-16:50. After fixing this vulnerability did we decide to publish this vulnerability report.
It is necessary to think about:
- Why should such sensitive information about all COVID-19 patients tested to be placed on the public Internet at all?
- Why wasn’t it anonymized or encrypted in any way?
- Why wasn’t it protected in any way by authentication?
- Why wasn’t the information about several months old patient records destroyed?
- If the state cannot protect the personal information of all people tested on COVID-19, why do we think it can protect the sensitive location data it can obtain from mobile operators?