{"id":1623,"date":"2023-06-12T15:28:09","date_gmt":"2023-06-12T09:58:09","guid":{"rendered":"https:\/\/bscrackers.com\/?p=1623"},"modified":"2023-06-12T15:28:09","modified_gmt":"2023-06-12T09:58:09","slug":"cowin-portal-safe-reports-of-telegram-bot-sharing-personal-info-mischievous-health-ministry","status":"publish","type":"post","link":"https:\/\/bscrackers.com\/?p=1623","title":{"rendered":"CoWIN Portal Safe, Reports of Telegram Bot Sharing Personal Info Mischievous: Health Ministry"},"content":{"rendered":"<p> [ad_1]<br \/>\n<\/p>\n<div style=\"display:flex;justify-content:space-between;background:#f3f3f3;padding:0 15px 10px 10px;border-bottom:5px solid #e1261c\">\n<div style=\"width:510px;padding-top:10px;position:relative;height:350px\" class=\"jsx-1647035624 article_bimg\">\n<figure style=\"line-height:0;width:510px;height:340px\" class=\"jsx-1647035624\"><img fetchpriority=\"high\" decoding=\"async\" alt=\"The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. (File for representation) \" title=\"The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. (File for representation) \" src=\"https:\/\/images.news18.com\/ibnlive\/uploads\/2021\/07\/1627283897_news18_logo-1200x800.jpg?impolicy=website&amp;width=510&amp;height=356\" loading=\"eager\" width=\"510\" height=\"340\" class=\"jsx-1647035624\"\/><\/figure>\n<p style=\"line-height:18px;position:absolute;bottom:0;background:linear-gradient(transparent,#000);left:0;right:0;margin-bottom:0;font-size:12px;color:#fff;padding:32px 10px 5px;min-height:55px\" class=\"jsx-1647035624 imageCaption\">The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. (File for representation) <\/p>\n<\/div>\n<div style=\"width:359px;padding-top:10px\" class=\"jsx-1647035624 article_bnow_box\">\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_73 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/bscrackers.com\/?p=1623\/#%E2%80%9CWithout_OTP_vaccinated_beneficiaries_data_cannot_be_shared_to_any_bot%E2%80%A6_There_is_no_provision_to_capture_address_of_beneficiary%E2%80%9D_the_health_ministry_clarified_adding_it_has_requested_the_CERT-In_to_look_into_the_issue_and_submit_a_report\" title=\"&#8220;Without OTP, vaccinated beneficiaries\u2019 data cannot be shared to any bot&#8230; There is no provision to capture address of beneficiary,&#8221; the health ministry clarified, adding it has requested the CERT-In to look into the issue and submit a report\">&#8220;Without OTP, vaccinated beneficiaries\u2019 data cannot be shared to any bot&#8230; There is no provision to capture address of beneficiary,&#8221; the health ministry clarified, adding it has requested the CERT-In to look into the issue and submit a report<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/bscrackers.com\/?p=1623\/#Ministry_on_Telegram_Bot\" title=\"Ministry on Telegram\u00a0Bot\">Ministry on Telegram\u00a0Bot<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/bscrackers.com\/?p=1623\/#WHAT_HAPPENED_IN_2021\" title=\"WHAT HAPPENED IN 2021?\">WHAT HAPPENED IN 2021?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/bscrackers.com\/?p=1623\/#%E2%80%98ABSOLUTE_SECURITY_A_MYTH\" title=\"\u2018ABSOLUTE SECURITY A MYTH\u2019\">\u2018ABSOLUTE SECURITY A MYTH\u2019<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 style=\"min-height:24px;font-size:14px;line-height:24px;color:#3f3f3f;font-weight:400\" class=\"jsx-1647035624\"><span class=\"ez-toc-section\" id=\"%E2%80%9CWithout_OTP_vaccinated_beneficiaries_data_cannot_be_shared_to_any_bot%E2%80%A6_There_is_no_provision_to_capture_address_of_beneficiary%E2%80%9D_the_health_ministry_clarified_adding_it_has_requested_the_CERT-In_to_look_into_the_issue_and_submit_a_report\"><\/span>&#8220;Without OTP, vaccinated beneficiaries\u2019 data cannot be shared to any bot&#8230; There is no provision to capture address of beneficiary,&#8221; the health ministry clarified, adding it has requested the CERT-In to look into the issue and submit a report<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/div>\n<\/div>\n<div id=\"article_ContentWrap\">\n<div class=\"jsx-1647035624\">\n<p id=\"0\" class=\"story_para_0\">The health ministry has clarified that reports of alleged CoWIN portal breach, stating that personal information, including Aadhaar and passport details, phone number, date of birth and gender, was available on a Telegram (online messenger application) bot for a brief period of time, are \u201cwithout any basis and mischievous in nature&#8221;.<\/p>\n<p id=\"1\" class=\"story_para_1\">\u201cThe Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL\/TLS, regular vulnerability assessment, Identity &amp; Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,&#8221; the ministry said.<\/p>\n<p id=\"2\" class=\"story_para_2\">COWIN was developed and is owned and managed by the Ministry of Health and Family Welfare (MoHFW) and is a repository of all data of beneficiaries who have been vaccinated against Covid-19. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of COWIN and for deciding on policy issues. Former CEO National Health Authority (NHA) chaired EGVAC which also included members from MoHFW and Ministry of Electronics and Information Technology (MeitY).<\/p>\n<p><nonfly class=\"article_mad\" adunit=\"NW18_ENG_Desktop\/NW18_ENG_Tech\/NW18_ENG_Tech_AS\/NW18_ENG_TECH_AS_ROS_MID_728\" slotid=\"nw18-dynamic-div-8057503_2_18\" id=\"new_ad_3\"\/><\/p>\n<p id=\"3\" class=\"story_para_3\"><em><strong>The ministry explained that Co-WIN data access is available at three levels:<\/strong><\/em><\/p>\n<ol class=\"listOncontentArticle\">\n<li><strong>Beneficiary dashboard:<\/strong> The person who has been vaccinated can access the CoWIN data through the use of registered mobile number with OTP authentication.<\/li>\n<li><strong>Co-WIN authorised user:<\/strong> The vaccinator, with the use of authentic login credential provided, can access personal level data of vaccinated beneficiaries. But the COWIN system tracks and keeps record of each time an authorised user accesses the COWIN system.<\/li>\n<li><strong>API-based access:<\/strong> The third party applications who have been provided authorised access of CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.<\/li>\n<\/ol>\n<h4><span class=\"ez-toc-section\" id=\"Ministry_on_Telegram_Bot\"><\/span>Ministry on Telegram\u00a0Bot<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul class=\"listOncontentArticleUL\">\n<li>Without OTP, vaccinated <strong>beneficiaries\u2019 data cannot be shared<\/strong> to any bot.<\/li>\n<li><strong>Only the Year of Birth (YOB) is captured for adult vaccination<\/strong>, but media posts claim that the bot also\u00a0mentioned the Date of Birth (DOB).<\/li>\n<li>There is <strong>no provision to capture the address<\/strong> of the beneficiary.<\/li>\n<\/ul>\n<div class=\"mimg-vdo\">\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">With ref to some Alleged Cowin data breaches reported on social media, <a href=\"https:\/\/twitter.com\/IndianCERT?ref_src=twsrc%5Etfw\" rel=\"nofollow noopener\" target=\"_blank\">@IndianCERT<\/a> has immdtly responded n reviewed this\u2705A Telegram Bot was throwing up Cowin app details upon entry of phone numbers<\/p>\n<p>\u2705The data being accessed by bot from a threat actor database, which seems to\u2026<\/p>\n<p>\u2014 Rajeev Chandrasekhar \ud83c\uddee\ud83c\uddf3 (@Rajeev_GoI) <a href=\"https:\/\/twitter.com\/Rajeev_GoI\/status\/1668206577021583362?ref_src=twsrc%5Etfw\" rel=\"nofollow noopener\" target=\"_blank\">June 12, 2023<\/a><\/p>\n<\/blockquote>\n<\/div>\n<p id=\"6\" class=\"story_para_6\">The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application.<\/p>\n<p id=\"7\" class=\"story_para_7\">The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.<\/p>\n<p id=\"8\" class=\"story_para_8\">CERT-In, in its initial report, has pointed out that backend database for <strong>Telegram bot was not directly accessing the APIs of CoWIN database<\/strong>.<\/p>\n<p id=\"9\" class=\"story_para_9\">Meanwhile, Rajeev Chandrasekhar, Minister of State for Skill Development and Entrepreneurship, tweeted that it \u201cdoes not appear that Cowin app or database has been directly breached\u201d.  \u201cThe data being accessed by bot from a threat actor database, which seems to hv been populated wth previously breached\/stolen data stolen from past\u2026National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.\u201d <\/p>\n<h4><span class=\"ez-toc-section\" id=\"WHAT_HAPPENED_IN_2021\"><\/span>WHAT HAPPENED IN 2021?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p id=\"10\" class=\"story_para_10\">In 2021, when reports claimed that there was a possible CoWIN data breach, the government had denied the claims.<\/p>\n<p id=\"11\" class=\"story_para_11\">RS Sharma, CEO of the National Health Authority, had vouched for the CoWIN portal, stating it has state-of-the-art security infrastructure and has never faced a security breach.<\/p>\n<p><nonfly class=\"article_mad\" adunit=\"NW18_ENG_Desktop\/NW18_ENG_Tech\/NW18_ENG_Tech_AS\/NW18_ENG_TECH_AS_ROS_BTF_728\" slotid=\"nw18-dynamic-div-8057503_14_18\" id=\"new_ad_12\"\/><\/p>\n<p id=\"12\" class=\"story_para_12\">\u201cData of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit,\u201d he tweeted.<\/p>\n<p><videocarousel\/><\/p>\n<h4><span class=\"ez-toc-section\" id=\"%E2%80%98ABSOLUTE_SECURITY_A_MYTH\"><\/span>\u2018ABSOLUTE SECURITY A MYTH\u2019<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p id=\"13\" class=\"story_para_13\">Supreme Court lawyer and cybersecurity expert, Dr Pavan Duggal, however, said that absolute security doesn\u2019t exist and what was secured yesterday may not be secured today or tomorrow. \u201cIf any entity says we are 100% safe, that is not accurate. But we have to find the loopholes which could potentially be misused by cybercriminals,\u201d he added.<\/p>\n<\/p><\/div>\n<div class=\"jsx-1647035624 authorBox21 article_author\">\n<div class=\"jsx-1647035624 author_box\">\n<div class=\"author_box_inner\">\n<div class=\"img_box1 author_img\"><img decoding=\"async\" src=\"https:\/\/images.news18.com\/ibnlive\/uploads\/2022\/06\/bhaswati.jpg?impolicy=website&amp;width=70&amp;height=70\" class=\"lazyload\" alt=\"\"\/><\/div>\n<div class=\"text1 author_content\"><a class=\"smalldesc1 author_name\" href=\"https:\/\/www.news18.com\/byline\/bhaswati-guha-majumder.html\" target=\"_blank\" rel=\"noopener\"><span>Bhaswati Guha Majumder<\/span><\/a><\/p>\n<div>Bhaswati Guha Majumder, Senior Correspondent at News18, has been passionately covering stories related to technology, business (infrastructure), gover<!-- -->&#8230;<a href=\"https:\/\/www.news18.com\/byline\/bhaswati-guha-majumder.html\" class=\"read_more\" target=\"_blank\" rel=\"noopener\">Read More<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/>[ad_2]<br \/>\n<br \/><a href=\"https:\/\/www.news18.com\/tech\/telegram-bot-leaks-personal-info-shared-on-cowin-its-a-wake-up-call-says-expert-8057503.html\" target=\"_blank\" rel=\"noopener\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[ad_1] The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. (File for representation) &#8220;Without OTP, vaccinated beneficiaries\u2019 data cannot be shared to any bot&#8230; There is no provision to capture address of beneficiary,&#8221; the health ministry clarified, adding it has requested the CERT-In &#8230; <a title=\"CoWIN Portal Safe, Reports of Telegram Bot Sharing Personal Info Mischievous: Health Ministry\" class=\"read-more\" href=\"https:\/\/bscrackers.com\/?p=1623\" aria-label=\"Read more about CoWIN Portal Safe, Reports of Telegram Bot Sharing Personal Info Mischievous: Health Ministry\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":1624,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[107],"tags":[],"class_list":["post-1623","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech"],"_links":{"self":[{"href":"https:\/\/bscrackers.com\/index.php?rest_route=\/wp\/v2\/posts\/1623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bscrackers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bscrackers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bscrackers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bscrackers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1623"}],"version-history":[{"count":0,"href":"https:\/\/bscrackers.com\/index.php?rest_route=\/wp\/v2\/posts\/1623\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bscrackers.com\/index.php?rest_route=\/wp\/v2\/media\/1624"}],"wp:attachment":[{"href":"https:\/\/bscrackers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bscrackers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bscrackers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}