#LeakAlert: Data from Jio's COVID-19 symptom checker exposed online
What's the story
Soon after the COVID-19 outbreak, technology companies around the world began launching triage tools to help their customers check themselves for coronavirus. Reliance Jio, India's biggest telecom operator, was also in this race, but a new report suggests that the company has committed a major blunder in the handling of its COVID-19 symptom checker tool. Here's all you need to know about it.
Tool
Jio's Symptom Checker database exposed
Like all available self-assessment tools, Jio's "Symptom Checker" also uses user inputs - like details of their health condition and travel history - to assess the risk of infection. It launched late in March as part of the MyJio app, but just within two months of operation, a security lapse leaked a core database associated with the tool on the internet, without a password.
Information
Critical user information discovered in the database
Discovered by security researcher Anurag Sen on May 1, the database in question contained website errors, system messages, and logs of user-provided information, TechCrunch reported. This basically included test answers, like basic details of the person being checked - self/relative with age and gender - the symptoms they may have been witnessing, details of their pre-existing health conditions, and close contacts.
Other data
Location data also included in some cases
Along with the information that users had to provide to take the symptom checker test, the leaked database also contained information on their browser version and operating system. And, if they had also given location permissions, the logs also displayed precise geolocation data - longitudes and latitudes - that could easily be used to figure where those people lived.
Response
Jio acted soon after TechCrunch raised alarm
After Sen reported the exposure of the database to TechCrunch, the outlet notified Jio about the error, prompting the company to act quickly and pull it offline. A spokesperson from the company issued a statement acknowledging the security lapse publicly but they did not clarify whether anyone else except Sen was able to access the database or if affected users would be informed.
Quote
Here's what Jio spokesperson said on the matter
"We have taken immediate action. The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms," said Jio spokesperson Tushar Pania.