[BreachExchange] Qatar tracing app flaw exposed 1mn users’ data

Thu May 28 09:18:20 EDT 2020

https://www.brecorder.com/2020/05/26/600273/qatar-tracing-app-flaw-exposed-1mn-users-data/

DOHA: A security flaw in Qatar's controversial mandatory coronavirus
contact tracing app exposed sensitive information of more than one
million users, rights group Amnesty International warned Tuesday.

The glitch, which was fixed on Friday after being flagged by Amnesty a
day earlier, made users' ID numbers, location and infection status
vulnerable to hackers.

Privacy concerns over the app, which became mandatory for residents
and citizens on pain of prison from Friday, had already prompted a
rare backlash and forced officials to offer reassurance and
concessions.

Users and experts had criticised the array of permissions required to
install the app including access to photo and video galleries on
Android devices, as well as allowing the software to make phone calls.

Despite insisting the unprecedented access was necessary for the
system to work, officials said they would address privacy concerns and
issued reworked software over the weekend.

“Amnesty International's Security Lab was able to access sensitive
information, including people's name, health status and the GPS
coordinates of a user's designated confinement location, as the
central server did not have security measures in place to protect this
data," the group said in a statement.

“While Amnesty International recognises the efforts and actions taken
by the government of Qatar to contain the spread of the COVID-19
pandemic and the measures introduced to date, such as access to free
healthcare, all measures must be in line with human rights standards."

More than 47,000 of Qatar's 2.75 million people have tested positive
for the respiratory disease — 1.7 percent of the population — and 28
people have died.

Like other governments around the world, Qatar has turned to mobile
phones to trace people's movements and track who they come into
contact with, allowing officials to monitor coronavirus infections and
alert people at risk of contagion.

The Etheraz app, which means “Precaution", continues to allow
real-time location tracking of users by authorities at any time, the
report added.

Security forces manned checkpoints across Qatar on Sunday to ensure
use of the app alongside checking for use of masks, which are also
compulsory in public.

“It was a huge security weakness and a fundamental flaw in Qatar's
contact tracing app that malicious attackers could have easily
exploited," said Claudio Guarnieri, head of Amnesty's security lab.

“The Qatari authorities must reverse the decision to make use of the
app mandatory," he said.