- Report: Unmasked: COVID-KAYA and the Exposure of Healthcare Worker Data in the Philippines.
- Date Published: November 10 2020
COVID-KAYA version 1.4.7 (Android version code 10407)
The app embeds a hardcoded credential that allows access to its internal APIs.
We demonstrated that this credential can successfully authenticate and use the APIs to obtain the names and locations of health centres, as well as the names of over 30,000 healthcare providers who have signed up to use the app.
- September 14 2020 - We emailed Dure Technologies, the Philippines Department of Health, and WHO Philippines regarding the issues we identified with the Android app.
- September 15, 2020 - We received a response from Dure Technologies stating: "Thank you for your email and feedback, we will look into it on priority."
- October 22 2020 - We notified Dure Technologies of additional findings
- October 23 2020 - We received a response from Dure Technologies stating: “Thank you for your email and feedback. We have duly noted the feedback shared and will be closing the concerns highlighted asap.”
- November 10 2020 - We published our report