Please stop hard-wiring AWS credentials in your code. Looking at you, uni COVID-19 track-and-test app makers

In America, student schools you!


Albion College has a plan for students to return safely to campus this fall amid the COVID-19 coronavirus pandemic. It involves being tracked by an app that, at least until a few days ago, appears to have been insecure.

The Michigan institution announced its plan on July 28, which calls for testing coordinated by Testing Centers of America and the use of a health monitoring app called Aura Sequential Testing.

"All students will utilize Aura, an app developed by Nucleus Healthcare, that organizes the College’s COVID-19 testing and public health approach," Albion said in a statement. "The app will ask for daily health self-monitoring inputs prior to campus arrival in August and will offer daily reminders about common public health measures that everyone should be taking."

The idea has not proven all that appealing. A petition created by "concerned parents of Albion" was posted four days ago to Change.org in the hope of getting the school to reconsider its policy. It objects to the plan which requires students, but not staff, to remain on campus for 14 weeks and be subjected to tracking, data gathering, and work restrictions.

"This protocol that STUDENTS ONLY are required to sign and abide by says that they will download an app that tracks their locations, that they will not leave campus for 14 weeks, agree to give Albion College medical information that is none of their business and that they will not have jobs off campus," the petition says.

Perhaps more concerning is that the Amazon Web Services access keys for the backend servers of the Android version of Aura were, it is claimed, accessible within the app's code. The credentials were found by an Albion College student, who asked to be identified by her Twitter handle Q3w3e3. The keys could, we're told, be used to access the app's backend data and virtual machines in the Amazon-hosted US-West-2 region, including people's COVID-19 test result and medical insurance information.

Q3w3e3, who said she made her Twitter account private following media inquiries about her posts, told The Register in a phone interview that she found the hardcoded AWS credentials stored within the Android app.

tinfoil hat (shutterstock)

Bill Gates debunks 'coronavirus vaccine is my 5G mind control microchip implant' conspiracy theory

READ MORE

And she said it's quite possible the stored data has already been compromised because there are bots that regularly scrape the App Store and Google Play for apps with hardcoded credentials to exploit.

Q3w3e3 said she tried twice to report her security concerns to the maker of the application, though her calls were ignored. She also claims to have raised the issue with Albion College. But instead of receiving a direct response, the school appears to have sent out a general message reassuring its community that the app is safe.

Shortly after she posted about the flaw, a new version of the Android app was uploaded on Thursday, August 13. The AWS keys are no longer present in that version, Q3w3e3 said.

Aura collects quite a bit of data: identity information, contact information, technical information, demographic information, profile information, usage information, and marketing and communication information.

Nucleus did not respond to a request for comment. But the company claims in the Aura privacy policy that its app is HIPAA compliant.

Q3w3e3 expressed doubts about the company's ability to keep user data private, noting that the corporate entity named in the privacy policy, Nucleus Careers, LLC, is a recruiting company focused on machine learning and AI.

"They have no history I can find in secure healthcare," she said. "When it comes to the [Albion] policy, I think it's a good idea," said Q3w3e3. "But it needs to be well-implemented."

Albion College did not respond to a request for comment. ®

Similar topics


Other stories you might like

  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Oracle cloud growth up 19% but it's still a market minnow
    Acquisition of health data specialist Cerner adds $15.8b to Big Red's debt

    Oracle has impressed the markets with strong revenue growth for cloud infrastructure and applications-as-a-service.

    However, Oracle is still struggling to gain a larger share of the global cloud market, where it lags behind AWS, Microsoft Azure, and Google Cloud.

    Big Red's total revenue for Q4, which ended May 31, hit $11.8 billion, up 5 per cent on the same period a year ago. Total cloud revenue, including infrastructure and software-as-a-service, reached $2.9 billion, up 19 percent. Cloud ERP Fusion revenue increased 20 percent while NetSuite ERP cloud revenue grew 27 per cent.

    Continue reading

Biting the hand that feeds IT © 1998–2022