A medical company based in California that offers COVID-19 tests across Los Angeles has pulled down an online portal that allowed users to access the results of their tests following a complaint from a user who discovered an vulnerability that gave access to private data.
Total Testing Solutions has 10 COVID-19 testing facilities throughout Los Angeles, and processes “thousands” of COVID-19 test results in sports facilities, workplaces and schools every week. Once test results are available clients receive an email with links to websites to view their test results.
However, one user claimed that they discovered a vulnerability on the website that let them gain access to other customer’s information by changing the number of characters in the address of the website by one number. The customer was able to access the names of other customers as well as the date they took their test. The site also requires an individual’s birth date to get the COVID-19 test results that the user who discovered the flaw said “wouldn’t require a long time” to crack or guess. (That’s only 11,000 birthday guesses for those younger than 30 years old.)
While the website that was tested is secured by a login screen which asks the user to provide their email password and address The vulnerable portion of the site that allowed the customer to alter the address of the website and gain access to other information of customers could be accessed directly via the internet, bypassing the sign-in prompt entirely.
The customer emailed information about this vulnerability TechCrunch to ensure that the vulnerability is repaired before anyone else discovers it or exploits it in the event that it is not already.
TechCrunch confirmed the findings of the customer however, while we did not count every test result’s code, we did through some tests, we found that the vulnerability placed around 60 000 tests at the risk. TechCrunch identified the flaw to TTS chief medical officer Geoffrey Trenkle, who did not deny the amount of tests that were discovered however, he stated that the vulnerability was only present on an on-premise server utilized to deliver test results from the past which was closed and replaced with an entirely brand new system that is cloud-based.
“We were recently informed of a vulnerability in our old on-premises system that would allow access to patient names and outcomes through a combination of URL manipulation and dates of birth programming codes,” said Trenkle in an announcement. “The vulnerability was restricted to information about patients obtained from public testing sites prior to the development for the server that runs on cloud. To address this potential danger the company immediately shut down our software on premises and began migrating those files to the cloud-based secure system to ensure that there is no risk of a data breaches. We also began the process of assessing vulnerabilities, which included the examination of server access logs in order to identify any network activity that is not recognized or unusual authentication issues.”
Trenkle did not say how long ago the cloud service went active, and also why the server that was believed to be a legacy server showed tests results that were not completed until the month of December.
“Currently, TTS is not aware of any breaches of secured health information due to the problems with its previous server. According to our research, no health information for patients was compromised and the risk is now mitigated in the future,” said Trenkle.
Trenkle confirmed that the company would follow its obligations under the law of the state but he did not specifically stating if the company will notify customers about the vulnerability. While companies aren’t required to report security issues to the attorney general in their state or their customers, they do so due to a sense of caution, as it’s difficult to tell if the vulnerability was caused by unintentional access.