Elliot Alderson didn’t find any major vulnerabilities in Aarogya Setu contact tracing App and ended up doxxing his own mate
Just four days back a French hacker who uses the pseudonym Elliot Alderson from the TV Serial Mr.Robot claimed that the Aarogya Setu App could potentially leak personally identifiable information about 90 million Indians. After the developers of Aarogya Setu demolished his claims, he asked the devs if they knew what triangulation was. He did not, however, explain how triangulation was related to Aarogya Setu vulnerability claims
In a tweet a few hours later, Elliot accepted that Aarogya Setu devs had indeed (silently was his word) updated the App and patched a vulnerability.
The first time I analysed @SetuAarogya it was 1 month ago. With 1 command line it was possible to open any internal file of the app. It’s no more possible on the latest version. They fixed this issue silently. https://t.co/MVKc4wOSA9
— Elliot Alderson (@fs0c131y) May 6, 2020
Elliot then proceeded to make a Medium post about the alleged vulnerability in the Indian Government’s Aarogya Setu Contact Tracing App. In the Medium post, he claimed that he could change the location and use a different radius than the 5 hardcoded values set in App.
A Twitter user pointed out that maybe Elliot hasn’t heard of location spoofing which could be done for any App. Heck, even small kids playing Pokemon Go spoof their locations using GPS Spoofing App to fetch Pokemons from remote places.
Elliot Doxxes the Indian man who helped him with his mobile number
In the meantime, the master hacker made an absolute taboo mistake for any security researcher. He doxxed his own mate who had helped him by providing Indian mobile number needed to log into the App. A few days before, Elliot had tweeted with a request for help from his Twitter followers for an Indian mobile number. Many responded to him and he used one of the numbers provided by them.
In making the post, Elliot forgot to fade out the number of his Indian helper. A hacker and security researcher named Prateek Tiwari pointed it out.
Arogya setu didn’t leak any sensitive information but @fs0c131y sure did by exposing the JWT token of the user who tried to help him out. Decoding it will give you the victim’s number 🤦♂️
— Akhil Reni (@akhilreni_hs) May 6, 2020
Elliot accidentally leaked the JASON Web Token of the user in the Medium post thereby making the poor guy a target for trolls, scammers, etc. It takes a little hacking expertise to decode the full mobile number and find the poor guy who actually meant well when he gave his Indian mobile number to Elliot.
Now, Elliot has raised a new issue. He wants Aarogya Setu devs to open-source the code. NHS has earlier in the day open-sourced its contact tracing App and Elliot now wants the Indian government to do it.