The company Mylabs launched Coviself the COVID-19 Rapid Antigen Self Test Kit last year. This is the first COVID-19 self-test kit in India. You can receive results within 15 minutes from the comfort of your home and receive a report via the app.
Several months ago, an Information Security Researcher named Dipak Kumar Das from Odisha decided to investigate Coviself’s mobile application for security issues. He was able to discover 40 thousand Coviself customers’ confidential information by exploiting vulnerabilities in the Coviself applications.
Dipak Kumar Das is an Application Security Researcher and Bug Bounty Hunter and currently works for Informatica, Bangalore, as a Senior Product Security Engineer. In the past, he has been recognized by more than a hundred reputable organizations, including Microsoft, Google, SalesForce, Starbucks, Mediafire, etc. For reporting critical security vulnerabilities in their applications. He has expertise in Mobile applications, Web Applications, Infrastructure, and IoT penetration testing.
He obtained information about the Coviself user, including their Email, Name, Mobile Number, Address, and even their pictures. In addition to the PII data of users, he also had access to COVID-19 test results for each user.
After reporting the issue ethically, he contacted the CTO and members of their technical departments and support teams. However, this time, no positive reaction was received, and the replies he offered to discuss were delayed.
After waiting a long time for a positive response, he determined that they were neither interested in enhancing their application’s security nor preventing a significant data breach. As a result, he wrote about his findings without giving too many details in his blog. He wrote the blog with an impact on the vulnerability and affected users.
Several days later, the researcher realized the security issue had been fixed by Mylabs without him even knowing, which was sad. However, there were still many vulnerabilities present at the time that could have been harmful to their business and could have led to a loss of users.
Moreover, he added that startups and developers must be aware of the consequences of this type of security issue where their customers’ data is at stake. Organizations must perform a pentest on applications before they are made public. As soon as a vulnerability affects your production, bad guys can come in and hurt you in many ways, and this was not his first time to report critical issues. He has reported many vulnerabilities in top reputed Indian brands and organizations that have appreciated his ethical approach. Some are also acknowledged with bounty and the Hall Of Fame.
His personal blog with the name addictivehackers features detailed technical information on the security vulnerability of Mylab’s Coviself.