Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Qatar Tracing App Flaw Exposed 1 Mn Users’ Data: Amnesty

A security flaw in Qatar’s controversial mandatory coronavirus contact tracing app exposed sensitive information of more than one million users, rights group Amnesty International warned Tuesday.

A security flaw in Qatar’s controversial mandatory coronavirus contact tracing app exposed sensitive information of more than one million users, rights group Amnesty International warned Tuesday.

The glitch, which was fixed on Friday after being flagged by Amnesty a day earlier, made users’ ID numbers, location and infection status vulnerable to hackers.

Privacy concerns over the app, which became mandatory for residents and citizens on pain of prison from Friday, had already prompted a rare backlash and forced officials to offer reassurance and concessions.

Users and experts had criticised the array of permissions required to install the app including access to files on Android devices, as well as allowing the software to make unprompted phone calls.

Despite insisting the unprecedented access was necessary for the system to work, officials said they would address privacy concerns and issued reworked software over the weekend.

“Amnesty International’s Security Lab was able to access sensitive information, including people’s name, health status and the GPS coordinates of a user’s designated confinement location, as the central server did not have security measures in place to protect this data,” the rights group said in a statement.

“While Amnesty International recognises the efforts and actions taken by the government of Qatar to contain the spread of the COVID-19 pandemic and the measures introduced to date, such as access to free healthcare, all measures must be in line with human rights standards.”

More than 47,000 of Qatar’s 2.75 million people have tested positive for the respiratory disease — 1.7 percent of the population — and 28 people have died.

Advertisement. Scroll to continue reading.

Like other countries, Qatar has turned to mobiles to trace people’s movements and track who they come into contact with, allowing officials to monitor coronavirus infections and flag possible contagion.

“The Ehteraz app’s user privacy and platform security are of the utmost importance,” Qatar’s health ministry said in a statement on Tuesday.

“A comprehensive update of the app was rolled out on Sunday May 24 with expanded security and privacy features for all users.”

But Etheraz, which means “Precaution”, continues to allow real-time location tracking of users by authorities at any time, Amnesty said.

“It was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited,” said Claudio Guarnieri, head of the group’s security lab.

“The Qatari authorities must reverse the decision to make use of the app mandatory,” he said.

Related: COVID-19 Contact Tracing Apps: Effective Virus Risk Management Tools or Privacy Nightmare?

Related: Tech-Assisted COVID-19 Tracking Is Having Some Issues

Related: Apple and Google Team Up on Virus ‘Contact Tracing’ by Smartphone

Related: European Virus Tracing Apps Highlight Battle for Privacy

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...