ORS Patient Portal —Digital India initiative put at risk the leakage of millions of patients’ health information

Image for post
Image for post

What is ORS Patient Portal?

Image for post
Image for post
Online appointment booking
Image for post
Image for post
Access Appointment Details

Just to bring some technicality — It was a simple vulnerability of IDOR — Insecure Direct Object References where just tampering/changing a parameter/ID linked to a specific user could provide access to the data/information of some other user.

Image for post
Image for post
Other Patient details getting accessed
Image for post
Image for post
Access to Other Patient details
and similarly, in no time, the count of records reached to around 18,000 patients details that was just belonging to a single hospital AIIMS DELHI of some days and these numbers went on increasing disclosing details of every appointment made at any hospital at any given day from the time the ORS service was launched. 
Image for post
Image for post
Taken from ors.gov.in

The vulnerability could have allowed every single patients records to be accessed. As the data given in the ORS site (above screenshot), it has total 237 hospitals registered as of dated 18th Nov’19 and total appointments made at the portal is 30,82791 approximatley 31 Lacs (3.1 Million). The time vulnerability was found and reported the number was around 20 Lacs (2 Million).
This vulnerability had potentially kept data of 20 lacs users at risk — thier PII(Personally identifiable information) and PHI (Protected health information) details.

Image for post
Image for post
First mail sent to CERT team
Image for post
Image for post
Acknowledgment from CERT-In
Image for post
Image for post
Acknowledgment of bug fix
Image for post
Image for post
CERT-In reply
As per information reported to and tracked by CERT-In, more than 300,000 cyber-security incidents were reported in 2019 - a steep increase from a 50,362 incidents in 2016.This is where security researchers or ethical hackers become increasingly important because they can help protect against possible attacks and access flaws in the digital infrastructure.

Learning

Lead Infrastructure Security Engineer | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store