IT security: In Italy, reporting IT vulnerabilities is still a risk

A 30 minute audit to bring down the castle“, he wrote on his personal blog the IT security expert Giovanni Rocca, who joined the IT system in March 2020 Lazio doctor covid (LaziodrCovid), Uncover important IT deficiencies. The app – now no longer active – was created by the regional company Lazio Crea served to promote Connection between chronic and monitored patients and their doctorso you can do it share personal information B. Temperature and blood pressure, to your family doctor, in the darkest time of the coronavirus pandemic.

The sentence quoted is the title of the article in which Rocca told the story in detail Vulnerabilities found using the app. These are serious system configuration errors, known in technical jargon as “errors”. Cyber ​​vulnerabilities. The detection and exploitation of such vulnerabilities by a malicious attacker can be a major problem because it is possible endanger the security of the entire system. However, this was not the case with Rocca, who entered the app to see how and what was not working, but then limited himself to reporting it publicly. Uncovering the vulnerabilities of a system is a noble act because it allows those responsible to correct a mistake that could otherwise be exploited by people for potentially illegal purposes and have worse consequences.

After entering the email address, telephone number and tax number of a third person residing in the Lazio region (who consented to this use) into the LaziodrCovid application, the system provided: Access token, i.e. a code that contains information about the individual user and the actions he can perform. Rocca figured out how The code has not been verified or validated by the systemand could therefore be used to display not only the information of the user for whom it was accessed, but also that of all other patients.

On his blog, the computer security expert also explained how the system allowed this to happen the change – and thus the possible change – of the “body temperature” parameter. a family member of the patient who provided him with the access data. In practice, the LaziodrCovid app delivered Access to biometric and personal data of all registered users.

Leave a Reply

Your email address will not be published. Required fields are marked *