The National Information Technology Board (NITB) has categorically denied the claims made by the famous ethical hacker, Robert Baptiste, regarding the technical flaws and shortcomings in the government’s COVID-19 application.
On Tuesday, Baptiste highlighted several security lapses in his analysis of the government of Pakistan’s coronavirus application, named ‘COVID-19 Gov PK.’
Baptiste, who goes by the fictional name ‘Elliot Alderson’ on Twitter, wrote a series of tweets describing the glaring flaws he found in the App.
Yesterday night, I analyzed “COVID-19 Gov PK”, the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, … nothing is ok with this app.
1/ Yesterday night, I analysed "COVID-19 Gov PK", the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, … nothing is ok with this app.
Want to see this horror? Follow me ⬇️ pic.twitter.com/cpdf5ezoFM
— Baptiste Robert (@fs0c131y) June 9, 2020
In response, CEO NITB, Shabahat Ali Shah issued a press release hours after Robert’s Twitter post, rebutting his claims regarding the ‘COVID-19 Gov PK app. He said that the app is created for the purpose of curbing the spread of coronavirus and uses ‘very limited personal information.’
Unlike a social media user claimed, he said, the app does not show the ‘exact coordinates’ of the infected person.
Instead it shows radius parameter that is fixed by default at 10 meters for self-declared patients and 300 meters at a quarantine location. Hence, self-declared patients have given their consent to reveal their coordinates for the safety of the citizens. Moreover, they have accepted our app privacy policy terms/conditions.
About the hardcore passwords, NITB said that there is no user login mechanism present in the app. Therefore, passwords are not part of the app workflow.
Shabahat elaborated that the screenshot mentioning a hardcoded password is the defined keyword to give more security to the auth-token endpoint, so that endpoint can only be used from mobile apps.
However, Robert was quick to dismiss NITB’s claims with screenshots as proof.
Him: It’s not a password, it’s a keyword
Me: Dude! Respect yourself, it’s literally written password! pic.twitter.com/B11bM1iCDe— Baptiste Robert (@fs0c131y) June 9, 2020
The national IT board’s another claim, that all its API communicates using HTTPS, was dashed to the ground.
Him: All our APIs communicate using HTTPS
Me: Look at the 1st request made by the app bro! Just look pic.twitter.com/qpg9sMO8fU— Baptiste Robert (@fs0c131y) June 9, 2020
The social media tug of war is set to escalate as the French ethical hacker has announced that he will inspect other applications developed by the NITB.
Pakistan cyber security is joke every month hackers steal Pakistani users data from telecom to hosptials to nadra everything is stolen by hackers