Jump to content

Jamaica’s immigration website exposed thousands of travelers’ data


mood

Recommended Posts

Jamaica’s immigration website exposed thousands of travelers’ data

Immigration documents and COVID-19 lab results were left unprotected

 

kingston-jamaica.gif?w=1390&crop=1

Image Credits: ITN / composite (opens in a new window)/ Getty Images

 

Asecurity lapse by a Jamaican government contractor has exposed immigration records and COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year.

 

The Jamaican government contracted Amber Group to build the JamCOVID19 website and app, which the government uses to publish daily coronavirus figures and allows residents to self-report their symptoms. The contractor also built the website to pre-approve travel applications to visit the island during the pandemic, a process that requires travelers to upload a negative COVID-19 test result before they board their flight if they come from high-risk countries, including the United States.

 

But a cloud storage server storing those uploaded documents was left unprotected and without a password, and was publicly spilling out files onto the open web.

 

Many of the victims whose information was found on the exposed server are Americans.

 

TechCrunch discovered the exposure as part of a separate investigation into COVID-19 apps. After TechCrunch contacted Amber Group’s chief executive Dushyant Savadia, who did not comment when reached prior to publication, the data was secured.

 

The storage server, hosted on Amazon Web Services, was set to public. It’s not known for how long the data was unprotected, but contained more than 70,000 negative COVID-19 lab results, over 425,000 immigration documents authorizing travel to the island — which included the traveler’s name, date of birth and passport numbers — and over 250,000 quarantine orders dating back to June 2020, when Jamaica reopened its borders to visitors after the pandemic’s first wave. The server also contained more than 440,000 images of travelers’ signatures.

 

Two U.S. travelers whose lab results were among the exposed data told TechCrunch that they uploaded their COVID-19 results through the Visit Jamaica website before their travel. Once lab results are processed, travelers receive a travel authorization that they must present before boarding their flight.

 

Both of these documents, as well as quarantine orders that require visitors to shelter in place and several passports, were on the exposed storage server.

 

Travelers who are staying outside Jamaica’s so-called “resilient corridor,” a zone that covers a large portion of the island’s population, are told to install the app built by Amber Group that tracks their location and is tracked by the Ministry of Health to ensure visitors stay within the corridor. The app also requires that travelers record short “check-in” videos with a daily code sent by the government, along with their name and any symptoms.

 

The server exposed more than 1.1 million of those daily updating check-in videos.

 

Covid-19_airport_arrival_flyer-v7-1.jpg?

An airport information flyer given to travelers arriving in Jamaica. Travelers may be required to install the JamCOVID19 app to allow the government to monitor their location and to require video check-ins. (Image: Jamaican government)

 

The server also contained dozens of daily timestamped spreadsheets named “PICA,” likely for the Jamaican passport, immigration and citizenship agency, but these were restricted by access permissions. But the permissions on the storage server were set so that anyone had full control of the files inside, including downloading the entire server’s contents or deleting the files altogether. (TechCrunch did neither, as doing so would be unlawful.)

 

Stephen Davidson, a spokesperson for the Jamaican Ministry of Health, did not comment when reached, or say if the government planned to inform travelers of the security lapse.

 

In a brief statement after we published, the Jamaican government issued a statement confirming the vulnerability.

“A thorough investigation was immediately initiated to determine if there were any breaches in travelers’ data security, if the vulnerability had been exploited, and if there was a breach of any laws. At present, there is no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified,” the statement read.

 

Savadia founded Amber Group in 2015 and soon launched its vehicle-tracking system, Amber Connect.

 

According to one report, Amber’s Savadia said the company developed JamCOVID19 “within three days” and made it available to the Jamaican government in large part for free. The contractor is billing other countries, including Grenada and the British Virgin Islands, for similar implementations, and is said to be looking for other government customers outside the Caribbean.

 

Savadia would not say what measures his company put in place to protect the data of paying governments.

 

Jamaica has recorded at least 19,300 coronavirus cases on the island to date, and more than 370 deaths.

 

Updated with a statement from the Jamaican government.

 

 

Source: Jamaica’s immigration website exposed thousands of travelers’ data

Link to comment
Share on other sites


  • Replies 1
  • Views 218
  • Created
  • Last Reply

Jamaica’s Amber Group fixes second JamCOVID security lapse

 

amber-group-top-image.jpg?w=1390&crop=1

Image Credits: TechCrunch / composite

 

Amber Group has fixed a second security lapse that exposed private keys and passwords for the government’s JamCOVID app and website.

 

A security researcher told TechCrunch on Sunday that the Amber Group left a file on the JamCOVID website by mistake, which contained passwords that would have granted access to the backend systems, storage, and databases running the JamCOVID site and app. The researcher asked not to be named for fears of legal repercussions from the Jamaican government.

 

This file, known as an environment variables (.env) file, is often used to store private keys and passwords for third-party services that are necessary for cloud applications to run. But these files are sometimes inadvertently exposed or uploaded by mistake, but can be abused to gain access to data or services that the cloud application relies on if found by a malicious actor.

 

The exposed environmental variables file was found in an open directory on the JamCOVID website. Although the JamCOVID domain appears to be on the Ministry of Health’s website, Amber Group controls and maintains the JamCOVID dashboard, app, and website.

 

The exposed file contained secret credentials for the Amazon Web Services databases and storage servers for JamCOVID. The file also contained a username and password to the SMS gateway used by JamCOVID to send text messages, and credentials for its email-sending server. (TechCrunch did not test or use any of the passwords or keys as doing so would be unlawful.)

 

exposed-credentials.jpg

A portion of the exposed credentials found on the JamCOVID website, controlled and maintained by Amber Group. (Image: TechCrunch)

 

TechCrunch contacted Amber Group’s chief executive Dushyant Savadia to alert the company to the security lapse, who pulled the exposed file offline a short time later. We also asked Savadia, who did not comment, to revoke and replace the keys.

 

Matthew Samuda, a minister in Jamaica’s Ministry of National Security, did not respond to a request for comment or our questions — including if the Jamaican government plans to continue its contract or relationship with Amber Group, and what — if any — security requirements were agreed upon by both the Amber Group and the Jamaican government for the JamCOVID app and website?

 

Details of the exposure comes just days after Escala 24×7, a cybersecurity firm based in the Caribbean, claimed that it had found no vulnerabilities in the JamCOVID service following the initial security lapse.

 

Escala’s chief executive Alejandro Planas declined to say if his company was aware of the second security lapse prior to its comments last week, saying only that his company was under a non-disclosure agreement and “is not able to provide any additional information.”

 

This latest security incident comes less than a week after Amber Group secured a passwordless cloud server hosting immigration records and negative COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year. Travelers visiting the island are required to upload their COVID-19 test results in order to obtain a travel authorization before their flights. Many of the victims whose information was exposed on the server are Americans.

 

One news report recently quoted Amber’s Savadia as saying that the company developed JamCOVID19 “within three days.”

 

Neither the Amber Group nor the Jamaican government have commented to TechCrunch, but Samada told local radio that it has launched a criminal investigation into the security lapse.

 

 

Source: Jamaica’s Amber Group fixes second JamCOVID security lapse

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...