Hacker claims to find vulnerabilities in Aarogya Setu, instead doxxes his own mate


Elliot Alderson didn’t find any major vulnerabilities in Aarogya Setu contact tracing App and ended up doxxing his own mate

Just four days back a French hacker who uses the pseudonym Elliot Alderson from the TV Serial Mr.Robot claimed that the Aarogya Setu App could potentially leak personally identifiable information about 90 million Indians. After the developers of Aarogya Setu demolished his claims, he asked the devs if they knew what triangulation was. He did not, however, explain how triangulation was related to Aarogya Setu vulnerability claims

In a tweet a few hours later, Elliot accepted that Aarogya Setu devs had indeed (silently was his word) updated the App and patched a vulnerability.

Elliot then proceeded to make a Medium post about the alleged vulnerability in the Indian Government’s Aarogya Setu Contact Tracing App. In the Medium post, he claimed that he could change the location and use a different radius than the 5 hardcoded values set in App.

A Twitter user pointed out that maybe Elliot hasn’t heard of location spoofing which could be done for any App. Heck, even small kids playing Pokemon Go spoof their locations using GPS Spoofing App to fetch Pokemons from remote places.

Elliot Doxxes the Indian man who helped him with his mobile number

In the meantime, the master hacker made an absolute taboo mistake for any security researcher. He doxxed his own mate who had helped him by providing Indian mobile number needed to log into the App. A few days before, Elliot had tweeted with a request for help from his Twitter followers for an Indian mobile number. Many responded to him and he used one of the numbers provided by them.

In making the post, Elliot forgot to fade out the number of his Indian helper. A hacker and security researcher named Prateek Tiwari pointed it out.

Elliot accidentally leaked the JASON Web Token of the user in the Medium post thereby making the poor guy a target for trolls, scammers, etc. It takes a little hacking expertise to decode the full mobile number and find the poor guy who actually meant well when he gave his Indian mobile number to Elliot.

Now, Elliot has raised a new issue. He wants Aarogya Setu devs to open-source the code. NHS has earlier in the day open-sourced its contact tracing App and Elliot now wants the Indian government to do it.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments