A Security Flaw In Qatar’s Contact Tracing App Exposed Hundreds Of Thousands Of People’s Personal Data – By Megha Rajagopalan (Buzzfeed) / May 26 2020
After it was found by Amnesty International, the bug was fixed by the app’s developers.
A security flaw in Qatar’s mandatory coronavirus contact tracing app could have resulted in the leak of the personal data of hundreds of thousands of people, including ID numbers, location, and health information, according to Amnesty International’s Security Lab.
After Amnesty alerted Qatari authorities on Thursday, they fixed the flaw in the app. The incident underscores the risks of contact tracing apps. Privacy activists worry the apps could be compromised by outside attackers or used by governments to collect personal data unrelated to the pandemic.
Claudio Guarnieri, a senior technologist at Amnesty International and head of its Security Lab, told BuzzFeed News that his organization found the flaw that could have compromised people’s data.
“The app downloaded the QR code from the server by performing a particular request providing the national ID the user provided at registration,” he said. “However, anyone with the sufficient technical know-how to analyze the inner workings of the apps would have been able to reconstruct the network protocol and notice that because the server only expected an ID number to return the QR code, one could request it for any other ID instead.”
A hacker could have used a brute-force attack to generate all possible combinations of the ID numbers, retrieving their data.
Continue to article: https://www.buzzfeednews.com/article/meghara/coronavirus-qatar-app-flaw