- Report: Unmasked: COVID-KAYA and the Exposure of Healthcare Worker Data in the Philippines.
- Date Published: November 10 2020
COVID-KAYA (Web application)
A vulnerability in the web app’s authentication logic allowed access to sensitive data normally protected by a superuser login credential.
This vulnerability allowed an attacker to access at least the names and locations of health centres, as well as the names of over 30,000 healthcare providers who have signed up to use the app. We are concerned but did not confirm that an attacker could also leverage this vulnerability to cause the app to reveal sensitive patient data.
- August 18 2020 - We emailed Dure Technologies, the Philippines Department of Health, and WHO Philippines regarding the issues we identified with the web app
- August 19 2020 - We received a response from Dure Technologies stating: “Thank you for your email and feedback, we will look into it on priority.”
- November 10 2020 - We published our report