Controversy as French Hacker Highlights Private Data Leaks in Pakistan’s COVID-19 App

The National Information Technology Board (NITB) has categorically denied the claims made by the famous ethical hacker, Robert Baptiste, regarding the technical flaws and shortcomings in the government’s COVID-19 application.

On Tuesday, Baptiste highlighted several security lapses in his analysis of the government of Pakistan’s coronavirus application, named ‘COVID-19 Gov PK.’

Advertisement

Baptiste, who goes by the fictional name ‘Elliot Alderson’ on Twitter, wrote a series of tweets describing the glaring flaws he found in the App.

Yesterday night, I analyzed “COVID-19 Gov PK”, the official #Covid19 Mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, … nothing is ok with this app.

In response, CEO NITB, Shabahat Ali Shah issued a press release hours after Robert’s Twitter post, rebutting his claims regarding the ‘COVID-19 Gov PK app. He said that the app is created for the purpose of curbing the spread of coronavirus and uses ‘very limited personal information.’

Unlike a social media user claimed, he said, the app does not show the ‘exact coordinates’ of the infected person.

Instead it shows radius parameter that is fixed by default at 10 meters for self-declared patients and 300 meters at a quarantine location. Hence, self-declared patients have given their consent to reveal their coordinates for the safety of the citizens. Moreover, they have accepted our app privacy policy terms/conditions.

About the hardcore passwords, NITB said that there is no user login mechanism present in the app. Therefore, passwords are not part of the app workflow.

Shabahat elaborated that the screenshot mentioning a hardcoded password is the defined keyword to give more security to the auth-token endpoint, so that endpoint can only be used from mobile apps.

However, Robert was quick to dismiss NITB’s claims with screenshots as proof.

The national IT board’s another claim, that all its API communicates using HTTPS, was dashed to the ground.

The social media tug of war is set to escalate as the French ethical hacker has announced that he will inspect other applications developed by the NITB.


  • Pakistan cyber security is joke every month hackers steal Pakistani users data from telecom to hosptials to nadra everything is stolen by hackers


  • close
    >