Just days after Facebook confirmed a $5.7 billion investment in India’s largest mobile operator, Reliance Jio, a security lapse on the part of the latter has reportedly exposed a massive database of private user-information from the company’s recently-released COVID-19 Symptom Checker tool to the internet. According to TechCrunch, the database was discovered by cybersecurity researcher, Anurag Sen, on May 1, right after it was first exposed online.
Jio is said to have pulled the system offline after being notified, but it isn’t immediately clear if others were also able to access the database before it was taken down. In a statement issued to TechCrunch, Jio spokesperson, Tushar Pania, admitted the security lapse, but said that the company took down the database immediately after being notified. According to him: “We have taken immediate action. The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms”.
As per the report, the database contained millions of logs and records from April 17 till the time it was pulled offline. It contained not only a running log of errors and other system messages, but also massive amounts of data about users who had taken the self-test, including information about their age and gender, as well as the answers to each question asked by the app.
The report further claims that the database also included the person’s ‘user agents’, which are snippets of information about the user’s browser and operating system that can be used to track people’s online activities. As if that wasn’t bad enough, users who allowed location access to the app also had their precise geolocation exposed through the leaked database.