Elliot Alderson Hacked Aarogya Setu & Explained Privacy Flaws

Elliot Alderson Hacked Aarogya Setu App

The renowned ethical hacker Elliot Alderson hacked Aarogya Setu and flagged the privacy concern of the COVID 19 tracing app. This App has been developed by the Indian Government containing the details of 90 million users registered on the app.

Through the medium of Twitter, he informed the Aarogya Setu twitter handle that he had found the security issue in the app, and the privacy of the registered users are at stake. He asked Aarogya Setu to contact him privately, which they did, and Elliot Alderson disclosed the issue to them.

Elliot Alderson Hacked Aarogya Setu [Privacy Flaws]

The issue highlighted after Elliot Alderson hacked Aarogya Setu was one that anyone could access the internal database of the app. And also anyone could see who is sick anywhere in India, which violates the privacy of the person. He also mentioned Mr. Rahul Gandhi, the Congress MP from Wayanad district of Kerala, who had raised the security issued and said the app could be used as a surveillance system.

Mr. Alderson did not disclose the issuer as CERT-IN, and NIC contacted him within 49 minutes of his tweet. He hacked the app within five hours by using a valid Indian mobile number, which was not registered on the app. Based on the flaw, he could narrow down that five people in PMO and two people in the Indian Army headquarters felt unwell by modifying the location and setting his location in New Delhi and set the radius of 100 km and got the information.

After contacting the hacker, the Aarogya Setu team posted an update on social media regarding the data security of the app. The developers of the app said that its contact tracing Aarogya Setu app by design collects the data of 90 million users’ locations and allows them to view the concentration of the people who have tested positive for COVID 19 in their locality.

Elliot Alderson hacked Aarogya Setu is not the first instance where he has highlighted the security issues of a public database in India; he had also highlighted the security issues of the UIDAI (Adhaar Card) which had lead to massive outrage.