Web doc iCliniq plugs leaky S3 bucket stuffed full of medical records
Even the file names exposed sensitive info, claim researchers
Exclusive Online medical consultation service iCliniq left thousands of medical documents in a publicly accessible Amazon Web Services S3 bucket.
iCliniq locked down the online silo earlier this week only after the slip-up was brought to its attention by German security researcher Matthias Gliwka. He approached El Reg after failing to get any response to notification emails he sent to the firm.
The global health startup, which is based in India, allows users to privately ask medical questions, to which they can attach their medical records, and have the queries answered by doctors. However, iCliniq stored these private medical documents in a misconfigured wide-open AWS S3 bucket that could have been potentially pored over by anyone.
This cloud storage box, according to Gliwka, contained about 20,000 medical documents, such as information on blood screens and HIV tests.
From Bangkok to Phuket, they cry out: Oh, Bucket! Thai mobile operator spills 46k people's dataREAD MORE
Gliwka was able to establish a link between the icliniq.com website and the S3 bucket. Test files he uploaded through the website appeared in the same cloud-based system.
The German researcher also found a second problem. He said iCliniq had failed to check for permissions in its web app so every user was able to see every question asked by other members – simply by guessing the ID number of the question. Technically, this is known as an IDOR (Insecure Direct Object Reference) vulnerability.
El Reg ran Gliwka's findings past UK security researcher Scott Helme, who quickly confirmed iCliniq had a serious cockup to resolve. "They need to get this locked down ASAP," Helme told us. "The bucket should be easier to fix than the IDOR... but both need work."
Armed with this confirmation, El Reg joined Gliwka in chasing up iCliniq. This wasn't easy, and as soon as we escalated the issue to iCliniq's chief exec Dhruv Suyamprakasam, both problems were promptly resolved.
Siddharth Parthiban, iCliniq's data protection officer, apologised to Gliwka for the organisation's failure to respond to a vulnerability notification. An internal investigation revealed that medical files of patients of two regions of India, the states of Tamil Nadu and Punjab, that were meant to be open only to lab-testing partners were actually publicly accessible.
"The S3 folder taken for these regions in India must have been moved [from] private," Parthiban explained in an email. Challenged on this point, the data protection officer reiterated that only Indian data was exposed to the public. "I confirm that ONLY files of the two states in India (Tamil Nadu and Punjab) were public. Files of other regions/countries/continents were/are NOT public," Parthiban told El Reg.
Once it had confirmed the issue, iCliniq treated the problem as a critical priority, and promptly restricted access to confidential medical data. iCliniq promised it would contact the particular patient whose data Gliwka cited as an example. It didn't offer any commitment to other people whose data was kept in the same previously insecure S3 bucket.
Gliwka confirmed that when he tried to access the confidential repository on Wednesday, access was denied.
Who's leaving Amazon S3 buckets open online now? Cybercrooks, US election autodialersREAD MORE
"The Amazon S3 bucket no longer publicly lists its contents and the direct links to documents I have the link to are no longer accessible," Gliwka told El Reg. "The IDOR vulnerability, which allowed to see the private questions of other users, is also fixed."
Gliwka remains dissatisfied with iCliniq's response. He's not convinced that the issue was geographically contained to India, and challenged iCliniq on this point.
The Register notes that test documents uploaded by both researchers – Gliwka in Germany, and Scott Helme in the UK – ended up in the same publicly accessible AWS S3 bucket before the firm made the fix. "Your file is definitely accessible by you alone," iCliniq told Gliwka when he raised this point.
The startup should notify everyone whose details were potentially exposed by the security blunder – not just the handful of files Gliwka and Helme accessed in verifying the problem, and not solely the patient whose file was emailed around by way of example. Ostensibly, even the names of files stored in the repository exposed sensitive information.
"While I believe that you've tried to protect those files by setting appropriate ACLs [Access Control Lists], I still had access to other files, even some files regarding data subjects outside of India," Gliwka told iCliniq in an email shared with The Register. "The file listing did indeed contain sensitive information. Some file names contain the name of a patient combined with the name of a medical test/diagnosis/procedure, i.e. john-doe-hiv-test.pdf, john-doe-cancer.pdf... just with a real name."
The startup said the files were pseudonymous, and did not constitute personally identifiable information.
Gliwka told us: "The system uses the filename provided during the upload and saves it verbatim after prefixing the file id, user id, question id and a random looking value."
Instances of sensitive data being publicly viewable in Amazon-hosted cloud storage are far from rare. For instance, thousands of files containing the personal information of US citizens with classified security clearances were exposed last year.
There has since been a steady stream of such cockups, which shows little sign of letting up. That's bad enough, but at the same time it is getting easier for interested parties to locate unsecured S3 buckets thanks to automated scripts, as previously reported.
Gliwka came across iCliniq's bucket in the process of developing a tool to discover leaks sensitive in nature, something he described as a side project. "During the research on how to approach this problem I came across a multitude of buckets with sensitive information," he said. "Most companies took them down rather quick[ly]."
The UK's Information Commissioner's Office has been informed of the medical data fumble. ®
Have you spotted a leaky S3 bucket? Let us know, and we'll even help plug the holes.
Sponsored: Becoming a Pragmatic Security Leader