A security flaw in the coronavirus symptom checker made by India’s largest telecom operator, Reliance Jio, has exposed the results of millions of users.
The exposed data includes geo-location of the users along with the self-assessment data of these users. While Jio has pulled down the server, no misuse of the data has been reported yet.
The service was launched in March, right before India’s nationwide lockdown was announced, and allowed users to self-screen themselves for the virus. However, an apparent Jio security lapse meant that one of the core databases, where the results were stored, was exposed to the internet without any password protection.
The affected database was then discovered by security researcher Anurag Sen, whose alert prompted the company to take down the server immediately. According to Sen, the database contained data of millions of users right from April 17 till it was finally pulled down on May 1.
The database reportedly contained information about the devices’ operating system, browser version and answers to all the questions asked in the assessment, apart from some generic information.
For some users, the database also had a precise location, possibly linked to those . who had activated the track location feature in their browser. Apart from user data, website error logs and system messages were also found in the database.
According to the report, the database mostly contained the information of users from Indian cities like Mumbai and Pune, however, some records of British and American nationals were also found.
“We have taken immediate action. The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms,” said Jio spokesperson Tushar Pania in a statement.