Skip To Content
BuzzFeed News Home Reporting To You

Utilizamos cookies, próprios e de terceiros, que o reconhecem e identificam como um usuário único, para garantir a melhor experiência de navegação, personalizar conteúdo e anúncios, e melhorar o desempenho do nosso site e serviços. Esses Cookies nos permitem coletar alguns dados pessoais sobre você, como sua ID exclusiva atribuída ao seu dispositivo, endereço de IP, tipo de dispositivo e navegador, conteúdos visualizados ou outras ações realizadas usando nossos serviços, país e idioma selecionados, entre outros. Para saber mais sobre nossa política de cookies, acesse link.

Caso não concorde com o uso cookies dessa forma, você deverá ajustar as configurações de seu navegador ou deixar de acessar o nosso site e serviços. Ao continuar com a navegação em nosso site, você aceita o uso de cookies.

A Security Flaw In Qatar's Contact Tracing App Exposed Hundreds Of Thousands Of People's Personal Data

After it was found by Amnesty International, the bug was fixed by the app's developers.

Posted on May 26, 2020, at 2:21 p.m. ET

Karim Jaafar / Getty Images

Workers wearing protective masks walk on a street in Doha, Qatar.

A security flaw in Qatar’s mandatory coronavirus contact tracing app could have resulted in the leak of the personal data of hundreds of thousands of people, including ID numbers, location, and health information, according to Amnesty International’s Security Lab.

After Amnesty alerted Qatari authorities on Thursday, they fixed the flaw in the app. The incident underscores the risks of contact tracing apps. Privacy activists worry the apps could be compromised by outside attackers or used by governments to collect personal data unrelated to the pandemic.

Claudio Guarnieri, a senior technologist at Amnesty International and head of its Security Lab, told BuzzFeed News that his organization found the flaw that could have compromised people's data.

“The app downloaded the QR code from the server by performing a particular request providing the national ID the user provided at registration,” he said. “However, anyone with the sufficient technical know-how to analyze the inner workings of the apps would have been able to reconstruct the network protocol and notice that because the server only expected an ID number to return the QR code, one could request it for any other ID instead."

A hacker could have used a brute-force attack to generate all possible combinations of the ID numbers, retrieving their data.

To fix the issue, the updated version of the app has more stringent authentication requirements.

On May 22nd, Qatar made mandatory the use of their COVID-19 contact tracing app #EHTERAZ, with severe penalties for those found without it. We found glaring privacy issues that left exposed personal data of more than a million users. A thread 👇. https://t.co/ZzP8Eo80yB

Twitter

Qatar has joined a group of several dozen countries that have implemented contact tracing apps for all or some of their population; it is among the few countries that have made downloading the app mandatory. The app, named Ehteraz — which means "precaution" — can also access photos and videos on the user’s phone.

This is a cautionary example of how centralizing data on COVID-19 contact tracing apps could go wrong. Additionally, excessive tracking of users of these apps remains worrisome. These apps must remain voluntary, and ensure people's human rights are protected. 👇

Twitter

Qatari authorities have said that personal data on the app would be deleted two months from the time of collection and that there’s no cause for alarm over privacy. The app sends the information it gathers from users into a central database and tracks the locations visited by people infected with the coronavirus.

BuzzFeed News’ FinCEN Files investigation exposed massive financial corruption on a historic global scale. Want to support our journalism? Become a BuzzFeed News member.

ADVERTISEMENT