The outbreak of the COVID-19 pandemic had created a great deal of interest and activity in the tech industry. Government organizations and private sector companies have been busy developing websites and apps for mobile devices that can help users detect if they are infected by the virus from their symptoms.
Just before the nationwide lock was imposed by the Indian government, a self-test symptom checker was launched by Jio. It allowed people, using the checker from their phone or Jio’s website, to find out whether they have been infected by the virus.
As per a report by TechCrunch, one of the core databases of the symptom checker did not have a password and was exposed on the internet. TechCrunch came to know of the lapse when security researcher Anurag Sen notified them after he found the exposed database on the internet on May 1. Immediately after TechCrunch informed Jio, they took the symptom checker offline.
“We have taken immediate action,” said Jio spokesperson Tushar Pania. “The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms.”
The expose could dent the credibility of Jio and Reliance especially after Facebook bought about 10% stake in Jio Platforms which has put Jio’s valuation at $66 billion.
The exposed database contains millions of logs and user records from April 17 to May 1. The huge number of user-generated self test data was logged in the database and included details such as name, age, gender and location. What has also been exposed is a small bit of information called user agent which contains information about the user’s internet browser and operating system. The user agent can potentially be used to track a user’s online activities.
The database also contains data of those who have created their profile on the symptom checker which then allows users to update their symptoms over time. Users had provided specific answers to questions asked about current symptoms, people they have been in contact with and their health conditions.
Some records also contain the exact location of the users but as they have seemingly allowed the symptom checker to have access to their browser or phone’s location data. Most of the exposed location data points to users in Mumbai, Pune, North America and the UK.