Connect with us

Hi, what are you looking for?

TASK FORCE COORDINATOR: Dr Masupu

Latest News

Bsafe app not so safe

• It’s a matter of national importance and urgency- court papers

Two security researchers have dragged Presidential Task-force Coordinator, Kereng Masupu, Director of Health Services Malaki Tshipayagae , Branstorne enterprises (PTY) LTD, and the Attorney general to court over the vulnerability and safety of the Bsafe application.

The urgent application was made this Tuesday at the Gaborone High Court before Justice Christopher Mokwadi Gabanagae.

The applicants, Itumeleng Ditlhotlhole and Samuela Molaodi, are of the view that the Bsafe app exposes its user’s personal information.

Bsafe is Botswana’s official contact tracing app for COVID-19 pandemic.

Advertisement. Scroll to continue reading.

It is available on android, a mobile operating system and through a web application served through a web browser at universal resource local (URL) https://web.covid19bw.centre/login. It is a tracking tool that is used to identify people who have been at a certain location.

According to court documents seen by The Voice, the app relies on the user checking in at a particular location by scanning a QR code or giving out their national identity number.

“The contact tracing app would then store this information to be later used to identify who has been where based on travel history.”

The applicants say they decided to take government to court as they are registered users of the Bsafe app. They contend that by profession they are trained and equipped with the knowledge and skills to identify vulnerabilities on computer applications.

“These issues may be identified by reverse engineering application or actively scanning an application.”

The security researchers explained in their submission that “inspect element is a web browser functionality that shows the innards of a webpage such as its source code, the images and CSS that form its design, the fonts and icons it uses, the javascript code that empowers animations and the networks interactions. This functionality is publicly available on all web browsers”.

Advertisement. Scroll to continue reading.

According to one of the applicants, whilst inspecting the network interactions of the Bsafe application homepage under the network tab, “it came to my attention that editing the date parameters in order to get my travel history between certain dates returned a response which contained information of people I do not know, most of which was personal information.”

Further inspecting the app the security researchers say they opened other pseudo accounts in order to verify their investigations.

“Whilst logged in with the pseudonymous user, I repeated the edit process described above but instead changed the number field, I edited the pseudonymous user’s mobile number to a mobile number used by my real account, that is 7 ******* and it returned some of the personal data that I registered for the Bsafe application with,” one of the applicants stated.

They further argue that they shared with the task force the vulnerabilities of the Bsafe app with the hope that they would facilitate a resolution to the vulnerabilities and safeguard user personal information of Batswana, but all in vain.

The applicants further tell the court in their urgent application that because the app is also available on the internet, it means hackers from across the world have access to personal data of Batswana and “with the internet it is possible to access almost any information, communicate with anyone else in the world and so much more.”

“Further, anyone can be a registered user of the application regardless of where they are situated because the application does not validate any of the registration details given to it, that is how I was able to register a pseudonymous account with random details to verify the vulnerabilities and at no point did I have to confirm that my mobile number exists, whether my email address works or that I am who I say I am,” further states the court documents.

Advertisement. Scroll to continue reading.

“It is clear that any registered user of the Bsafe application who is logged into their profile on the web application can view data of multitudes of other users without authentication to those user’s profiles.”

The case returns October as both parties were given more time to file further documents. The applicants want the Government interdicted from making the app web application with immediate effect. They also want the Government to carry out a privacy impact assessment of the app and delete all personal data that the app currently has.

Click to comment

Leave a Reply

Your email address will not be published.

You May Also Like

Latest News

MINISTER WARNS OF FOURTH WAVE Minister of Health and Wellness Dr Edwin Dikoloti said health workers are thin on the ground as nurses test...

Latest News

The Ministry of Health and Wellness wishes to inform members of the public that it is currently investigating certain mutations of the SARS COV-2...

Latest News

Overwhelmed hospitals reach Covid crisis point As Covid-19 infections hit a worrying new high in Botswana – on 16 July the number of active...

Latest News

Did MoH ‘go slow’ lead to increased Covid-19 numbers? An alleged ‘Go Slow’ by disgruntled Ministry of Health and Wellness staff could have played...

International

We join the rest of the world in praying for India as the South Asian country undergoes the worst COVID-19 crisis we have seen...

Latest News

*Over 200 students test positive at Mokgalo JSS *Over 30 teachers and support staff dead The startling number of Covid-19 cases in schools has...

International

Frontline Covid-19 vaccinations begin in Zim The Covid-19 vaccination programme for frontline workers kicked off on Monday and the doubts which seemed to linger...

Latest News

*300 students from Gowa SS test positive Boarding schools in Okavango sub district are grappling with a Coronavirus crisis, with Gowa Secondary School in...

Advertisement