Apollo Hospitals' bug granting access to details of 1 million patients fixed
Earlier this week, French security researcher Elliot Alderson and Indian security consultant Shashank revealed that the patient database of corporate hospital chain Apollo Hospitals was allegedly at the risk of being hacked easily.
Shashank posted a tweet on Saturday regarding the bug which could grant access to personal details over one million persons who had booked appointments online, was now patched.
Hi @HospitalsApollo, a serious security issue has been discovered in your system, can you contact me by DM? The personal data of millions of people are at stake, this is important.
— Elliot Alderson (@fs0c131y) March 12, 2018
Shashank in his blog wrote that he stumbled on the bug while booking a dental appointment at the Apollo Hospital’s digital platform, Ask Apollo.
How Apollo hospitals could leak 1 million users data [Now patched]https://t.co/14J08mYub7
— Shashank (@cyberboyIndia) March 16, 2018
Stating that he had tried to contact them via emails, Shashank said that he then got in touch with Alderson following which Apollo fixed their vulnerability.
Elliot Alderson recently disclosed security vulnerabilities with several Indian agencies and companies, including Aadhar, Paytm, etc.
Earlier he pointed out similar and serious security vulnerabilities with databases of the Aligarh Muslim University, BSNL, UIDAI, Paytm and others.
As the issue is now fixed, I can disclose the full details of the @HospitalsApollo issue. All the physical appointment forms were available at this url: https://t.co/N9zfrmmdXc. By changing the hashKey param, it was possible to access more than 1 million forms. pic.twitter.com/5Q9W8vMVJK
— Elliot Alderson (@fs0c131y) March 16, 2018