Amber Group fixed a second security issue that exposed private keys and passwords for the government JamCOVID app and website.
A security researcher told TechCrunch on Sunday that the Amber Group mistakenly left a file on the JamCOVID website, which contained passwords that allegedly gave access to the backend systems, storage and databases running the site and the JamCOVID application. The researcher asked not to be named for fear of legal repercussions from the Jamaican government.
This file, called an environment variable file (.env), is often used to store private keys and passwords for third-party services that are needed to run cloud applications. But sometimes these files are inadvertently exposed or downloaded by mistake, but can be abused to gain access to the data or services that the cloud app relies on if found by a malicious actor.
The exposed environment variable file was found in an open directory on the JamCOVID website. Although the JamCOVID domain appears to be on the Department of Health website, Amber Group controls and maintains the JamCOVID dashboard, app, and website.
The exposed file contained secret credentials for Amazon Web Services databases and storage servers for JamCOVID. The file also contained a username and password for the SMS Gateway used by JamCOVID to send text messages and credentials for its sending e-mail server. (TechCrunch has not tested or used any of the passwords or keys, as this would be illegal.)
TechCrunch contacted Amber Group Managing Director Dushyant Savadia to alert the company to the security failure, which took the exposed file offline shortly after. We also asked Savadia, who did not comment, to revoke and replace the keys.
Matthew Samuda, a minister in the Jamaican Department of National Security, did not respond to a request for comment or our questions – including whether the Jamaican government plans to continue its contract or relationship with the Amber Group, and what requirements security – if any – have been agreed by the Amber Group and the Jamaican government for the JamCOVID app and website?
The details of the exposure come just days after Escala 24 × 7, a Caribbean-based cybersecurity company, claimed it had found no vulnerabilities in the JamCOVID service following the initial security failure. .
Escala chief executive Alejandro Planas declined to say whether his company was aware of the second security breach prior to his comments last week, saying only that his company was subject to a nondisclosure agreement and “no. ‘is unable to provide additional information’.
The latest security incident comes less than a week after Amber Group secured a passwordless cloud server hosting immigration records and negative COVID-19 test results for hundreds of thousands of travelers who have visited the island in the past year. Travelers visiting the island are required to download their COVID-19 test results in order to obtain travel authorization before their flights. Many victims whose information has been exposed on the server are Americans.
A report recently quoted Amber’s Savadia as saying the company had developed JamCOVID19 “in three days”.
Neither the Amber Group nor the Jamaican government commented on TechCrunch, but Samada told local radio she has launched a criminal investigation into the lack of security.
Send advice securely via Signal and WhatsApp at +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.