Israeli Government’s CoronaApp Exposed Users' Medical History to Hackers

Tens of thousands of users gave their personal details and reported their medical history as part of the country's efforts to contain the coronavirus outbreak, but the Health Ministry stresses no information was leaked

Ran Bar-Zik
Send in e-mailSend in e-mail
Workers at Ben-Gurion Airport wear protective masks, February 25, 2020.
Workers at Ben-Gurion Airport wear protective masks, February 25, 2020.Credit: Ofer Vaknin
Ran Bar-Zik

A major security flaw that allowed hackers to extract confidential medical information of some 75,000 Israeli users was discovered in the Health Ministry’s CoronApp, intended to provide information about coronavirus and allow users to consult with experts and report their quarantine.

According to the Health Ministry, there was no hostile breach of the app’s database and the bug has since been fixed.

Users who installed the CoronaApp were required to enter personal details including history of illnesses. Many users also gave their email addresses so they could receive updates.

0:00
-- : --
Bibi limps to election 'victory.' But he didn't winCredit: Haaretz Weekly Podcast

Security researcher Dudi Kretchmer discovered that a critical security breach allowed anyone who used a common hacking tool to access all user records, and even hack their accounts and act on their behalf.

The app was also stored on a three-year-old server that has several documented security breaches, meaning it could have easily been used by hostile parties to sabotage the application itself.

A report was immediately sent to the National Cyber Security Authority, which responded swiftly.

“From the moment the journalist pointed the problem to us, the company’s developer and the best cybersecurity experts immediately and quickly worked to locate and resolve the problem," the Health Ministry commented. "It should be stressed that according to an examination by hired experts and as far as we know, there was no breach and no personal information was leaked."

Comments