A couple of weeks ago, Jio introduced a Coronavirus Symptom checker tool to check if a person is infected with the virus or not. This feature was introduced in the MyJio mobile application for Android and iOS.
A new report by TechCrunch stats that the database of the symptom checker was exposed to the Internet and that too without a password.
A security researcher, Anurag Sen found the database exposed online on 1st May. He then immediately contacted the publication to report the same to the company and Jio took its system offline soon after contacting the team.
The database which was exposed to the Internet contains all the data from 17th April to the point of time until Jio took the server down. This database is a collection of running log of website error, system messages, and users’ symptom and self-test data as well.
The user-generated data includes various information like the Name, Age, Who took the test (self or relative), records of people who created an account, etc. The most important thing of all is the questions and answers regarding the symptoms asked by the tool are also stored in the same database.
Exact geolocation of users was also found in the database. Location details of all people are not available, only those granted the location permission is logged. It includes the coordinates of the exact location of the user.
“We have taken immediate action…The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms,” said Tushar Pania, a Jio spokesperson.