The renowned ethical hacker Elliot Alderson hacked Aarogya Setu and flagged the privacy concern of the COVID-19 tracing app. This App has been developed by the Indian Government containing the details of 90 million users registered on the app.
Through the medium of Twitter, he informed the Aarogya Setu Twitter handle that he had found the security issue in the app, and the privacy of the registered users is at stake. He asked Aarogya Setu to contact him privately, which they did, and Elliot Alderson disclosed the issue to them.
Elliot Alderson Hacked Aarogya Setu [Privacy Flaws]
The issue highlighted after hacking Aarogya Setu was one that anyone could access the internal database of the app. Also, anyone could see who is sick anywhere in India, which violates the privacy of the person. He also mentioned Mr. Rahul Gandhi, the Congress MP from the Wayanad district of Kerala, who had raised the security issue and said the app could be used as a surveillance system.
Mr. Alderson did not disclose the issuer as CERT-IN, and NIC contacted him within 49 minutes of his tweet. He hacked the app within five hours by using a valid Indian mobile number, which was not registered on the app. Based on the flaw, he could narrow down that five people in PMO and two people in the Indian Army headquarters felt unwell by modifying the location and setting his location in New Delhi and setting the radius of 100 km and getting the information.
After contacting the hacker, the Aarogya Setu team posted an update on social media regarding the data security of the app. The developers of the app said that its contact tracing Aarogya Setu app by design collects data of 90 million users’ locations and allows them to view the concentration of the people who have tested positive for COVID-19 in their locality.
Hacking Aarogya Setu is not the first instance where he has highlighted the security issues of a public database in India; he has also highlighted the security issues of the UIDAI (Adhaar Card) which had led to massive outrage.
