in

A Security Flaw In Qatar's Contact Tracing App Exposed Hundreds Of Thousands Of People's Personal Data


Karim Jaafar / Getty Images

Workers wearing protective masks walk by on a street in Qatar’s capital Doha

A security flaw in Qatar’s mandatory coronavirus contact tracing app could have resulted in the leak of the personal data of hundreds of thousands of people, including ID numbers, location, and health information, according to Amnesty International’s Security Lab.

After Amnesty alerted them on Thursday, Qatari authorities fixed the flaw in the app, but the incident underscores the risks of contact tracing apps. Privacy activists worry the apps could be used by governments to collect personal data unrelated to the pandemic or compromised by outside attackers.

Claudio Guarnieri, senior technologist at Amnesty International and head of its security lab, told BuzzFeed News that his organization found the flaw that could have compromised people’s data.

“The app downloaded the QR code from the server by performing a particular request providing the national ID the user provided at registration,” he said. “However anyone with the sufficient technical know-how to analyze the inner workings of the apps would have been able to reconstruct the network protocol and notice that because the server only expected an ID number to return the QR code, one could request it for any other ID instead.”

Someone with the technical know-how could have used a brute force attack to generate all possible combinations of the ID numbers, retrieving their data.

To fix the issue, the updated version of the app has more stringent authentication requirements.


Twitter

Qatar has joined a group of several dozen countries that have implemented contact tracing apps for all or some of their populations, among the minority of which that have made them mandatory. Ehteraz, which means precaution, can also access photos and videos hosted on the user’s phone.


Twitter

Qatari authorities have said that personal data on the app would be deleted two months from the time of collection, and that there’s no cause for alarm over privacy. The app sends information it gathers from users into a central database and tracks the locations people infected with the coronavirus have visited.



Source link

Written by Angle News

Leave a Reply

This Woman Went Into The ER For What Felt Like Period Cramps And Found Out She Was Pregnant And In Labor

Here’s what to expect as SpaceX launches its first human crew to space