Reliance Jio, India’s largest telecom company by subscriber base, reportedly left data of millions of users unsecured online, through its coronavirus symptoms checker tool. In a security breach brought to light by security researchers Anurag Sen, Jio’s online coronavirus self-test symptom-checker tool held a major security lapse exposing data of millions of its users worldwide.
A day after India announced its first phase of lockdown, country’s largest cell network Reliance Jio Infocomm Ltd. launched its Corona Virus symptoms checker to help its users self-check for symptoms of the novel CoronaVirus. The symptoms-checker service could be accessed via MyJio app or directly through its website.
Exposing the lapse, security researcher Anurag Sen contacted TechCrunch on May 1, alerting Jio as well, post which the telecom company pulled its database offline. It is estimated that the database contained millions of logs of its users, containing crucial personal information such as age, gender, relation with the person being tested and if the user allows, its precise geo-location.
According to TechCrunch’s Zack Whittaker, the database also contained the person’s user agent, which can be used to find out a user’s browsing history and overall online activity. “A security lapse at Indian telcom giant Jio exposed one of its databases storing records of users’ coronavirus self-check results. Some records also contained a user’s precise geolocation”, Sen tweeted.
So far any misuse of the data is not reported, despite the database being accessible without much security cover, allowing Sen to expose the lapse. Jio, in a statement to TechCrunch, mentioned that the logging server’s purpose was to monitor the performance of the site. Spokesperson Tushar Punia said, “We have taken immediate action. The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms.”
The leak becomes dangerous, considering that the database also reportedly contained user’s contact information, which a person might have had used to log-in or sign-up at MyJio mobile app. Following the exposed sample data, Whittaker was able to pinpoint precise location of thousands of Jio users using the geographical coordinates in India clustered around major metropolitans like Mumbai and Pune, and reportedly in United Kingdom and North America. It purportedly had records of all the users from 17 April to May 1 after which it was finally pulled down.
The exposure of the security lapse comes after multiple investments into Jio Platforms, the parent company behind Jio’s telecom venture. Facebook recently invested $5.7 Billion for a 9.99% stake, with private equity major SIlver Lake investing another $750m today.
As tech majors globally race to develop their own COVID-19 symptoms checker apps and websites, the Government of India too launched its similar all-round CoronaVirus checker and facilitator Aarogya Setu App which broke the record of being the fastest downloaded app on Google Playstore, reaching 6 crore downloads in just 17 days.