A vulnerability that leaks personal information such as name and address is discovered in the new coronavirus contact tracking application at the university
It was discovered that a new coronavirus infection contact tracking app that a university in the US required to use for students had a vulnerability that 'it is possible to extract user's personal information such as name and address.'
College contact-tracing app readily leaked personal data, report finds | Ars Technica
Go read this investigation into a flawed contact-tracing app used by one US college-The Verge
The 'New Coronavirus Contact Tracking App' is an app that allows people who have been infected with COVID-19 to find out who has come into contact with them and to know the epidemic of COVID-19. In Japan, the Ministry of Health, Labor and Welfare has released a new type of coronavirus contact tracking application called 'COCOA', and simulation results have shown that COCOA has the effect of reducing the number of infected people in Japan by half.
What is the actual simulation result if the Japanese government official new type corona contact confirmation application 'COCOA' is effective in suppressing infected people? -GIGAZINE
However, a new coronavirus contact tracking app that Albion University in Michigan, U.S.A. obliged students and faculty members to use, was found to be 'vulnerable to third party extraction of name and address.'
The new coronavirus contact tracking app in question is an 'Aura' app developed by Nucleus Healthcare . Aura has the function of generating a QR code indicating its own test result in addition to the function of sending a notification to other users who have contacted the user and the university authorities when a positive reaction is given to the user. It was
Aura: Ensuring a safe, compliant workforce through COVID-19 testing & contact tracing software-YouTube
The problem was found in this QR code generator. According to the survey, the QR code is generated via Aura's website, not the device, and the URL of this website contained 'the user's account number'. Furthermore, it became clear that by manually tampering with the account number on the URL, it is possible to generate the QR code of another user and steal other people's inspection results.
It was also discovered that the Aura source code contains a hard-coded security key for the backend server. By using this security key to infiltrate the application database and cloud storage, it was possible to obtain the name, address, and date of birth in addition to the inspection results of other users.
In addition, Aura's 'contact monitoring system' itself is also a problem. Aura's contact monitoring system utilizes location information and does not use the 'contact tracking API' jointly developed by Google and Apple. The contact tracking API, co-developed by Apple and Google, prohibits location tracking for security and privacy considerations.
Tracking location information is prohibited in apps that implement the ``new corona virus tracking system'' of Apple and Google-GIGAZINE
Aura uses location information because it has implemented a 'surveillance' function by the university. Aura has a function that when a student leaves the campus without permission, a notification will be sent to the school and the student's ID card will be locked and access to the campus will be restricted.
Nucleus Healthcare has already fixed a vulnerability in Aura that could cause information disclosure. However, the monitoring function that uses location information remains the same, and complaints from students and their parents are continuing at Albion University.