This blog is posted with the intention of a wake up call for the government to improve and strengthen its commitment towards responsible data practices and helps to highlight the below par security standards in the IT industry and bring to the attention, the importance of security and spread awareness among companies and government to take information security as importantly as any other branch. This blog is published informing both CERT-In and NCIIPC team multiple times.
During my journey to spread security awareness among Indian tech companies including private and government sectors and also in the wake of a recent hack that happened in Singapore where 1.5 million patients' records were leaked, I happened to find a serious security flaw in ORS Patient Portal which could have allowed anyone to access any patient details which included his/her full name, complete address, age, mobile number, appointments, UHID, partial Aadhar number, and disease (in some cases) too.
Let’s dive into the details more —
What is ORS Patient Portal?
Online Registration System (ORS) is a framework to link various hospitals across the country for Aadhaar based online registration and appointment system. It was first launced in 2014. The application is one of the many services launched under the Prime Minister’s Digital India initiative in July 2015. Portal facilitates online appointments with various departments of different Hospitals, users can book medical appointments in any hospital and track the same online using eKYC data of Aadhaar number, if patient’s mobile number is registered with UIDAI. And in case mobile number is not registered with UIDAI it uses patient’s name. New patient will get appointment with Unique Health Identification (UHID) number.
One of the features that ORS provides is that of booking a medical appointment online, get an OPD appointment, lab reports and blood availability in any government hospital of any state registered in ORS.
and, it also provides the option to view, print, cancel and pay for an appointment. This is where the actual vulnerability was present.
As it provides the functionality to users to access their appointment details booked in any particular hospital of any state which makes the vulnerability more impactful allowing an attacker to access any patient details registered in any hospital across any state. For the proof of concept purpose, I chose India’s Biggest Government Hospital — All India Institute of Medical Sciences (AIIMS ) DELHI which was also the first hospital to get registered in ORS.
Just to bring some technicality — It was a simple vulnerability of IDOR — Insecure Direct Object References where just tampering/changing a parameter/ID linked to a specific user could provide access to the data/information of some other user.
There was also a vulnerable endpoint that was exposing the mobile number of any users just by changing or brute forcing a parameter.
Above are the screenshots showing the redacted details of some patients. The details includes patient’s full name, age, gender, complete address, mobile number, complete list of appointments a patient has made, UHID (It’s a unique health identification number assigned to every patient), Aadhar card (last 4 digit — which makes it more easy to bruteforce) and department (might give an idea about the kind of disease) were also accessible.
and similarly, in no time, the count of records reached to around 18,000 patients details that was just belonging to a single hospital AIIMS DELHI of some days and these numbers went on increasing disclosing details of every appointment made at any hospital at any given day from the time the ORS service was launched.
The vulnerability could have allowed every single patients records to be accessed. As the data given in the ORS site (above screenshot), it has total 237 hospitals registered as of dated 18th Nov’19 and total appointments made at the portal is 30,82791 approximatley 31 Lacs (3.1 Million). The time vulnerability was found and reported the number was around 20 Lacs (2 Million).
This vulnerability had potentially kept data of 20 lacs users at risk — thier PII(Personally identifiable information) and PHI (Protected health information) details.
This bug was discovered and reported to CERT-In (CERT-In is an office within the ministry of electronics and information technology which deals with cyber security threats.) team last year 2018 and they were quick too respond.
It could have been fixed in a day which should be the case but it took more than a month for them to get it fixed.
But the good thing, it got fixed. This is the only positive to take from the complete incident, CERT-In was able to reach to concerned authority, they were able to understand the importance and criticality of the bug and fixed it. There is also a sad part here is that the Indian Government doesn’t appreciate such efforts hence which can be a demotivating factor for security researchers and skillful bug hunters to actually not report such bugs. It’s important that independent security researchers and governments should work together to improve our collective security and help the government site to be more secure.
Quoting the lines here from BBC’s article —
As per information reported to and tracked by CERT-In, more than 300,000 cyber-security incidents were reported in 2019 - a steep increase from a 50,362 incidents in 2016.This is where security researchers or ethical hackers become increasingly important because they can help protect against possible attacks and access flaws in the digital infrastructure.
It is no surprise that India is ranked third after the US and China in terms of cybercrime incidents. Over 22,000 Indian websites hacked between Apr 2017-Jan 2018 as confirmed by the IT Ministry which includes 114 government portals. The stats can get even worse if proper security awareness and serious steps are not taken. There is no doubt in the talent and skill set that India has in terms of information security. India has already produced some great popular security researchers but the problem lies when such talents are not recognized in Indian market by the Indian government which leaves government sites to be exploited, attacked, exposed by outside malicious hackers and we all know what’s going on with our Aadhar breaches. This is where the government should realize what is required and what is lacking in the field of Information Security and take the right steps in the right direction!
Some steps that are required to take to protect user data and massive data breaches —
- Every government website which is storing user data should have a dedicated security team.
- Regular testing of such an application is needed to be done either by outsourcing to external vendors or from inside.
- BugBounty program or responsible disclosure policy should be implemented asap to help hackers to ethically report such loopholes.
- A Myth — Having a firewall doesn’t mean it protect the application completely. The security team needs to be built for maintaining and reviewing the security of the applications.
- Appropriate reward and appreciation should be given to ethical hackers who report vulnerabilities and protect user data from breaches
Thanks for reading!