Amber Group has fixed a second security lapse that reveals the government’s private key and password for the JamCOVID app and website.
A security researcher told ClearTips on Sunday that the Amber group mistakenly left a file on the JamCOVID website, containing passwords that provided access to the backend system, storage, and database that ran the JamCOVID site and app. The researcher did not name fears of legal consequences from the Jamaican government.
This file, known as an environment variable (.env) file, is often used to store private keys and passwords for third-party services that are necessary to run a cloud application. But these files are sometimes inadvertently accidentally exposed or uploaded, but can be abused to gain access to data or services that depend on a cloud application if found by a malicious actor.
The exposed environment variable file was found in an open directory on the JamCOVID website. Although the JamCOVID domain appears on the Health Ministry website, the Amber Group controls and maintains the JamCOVID dashboard, app, and website.
The exposed file contained secret credentials for the Amazon Web Services database and storage servers for JamCOVID. The file also has a username and password, used by SMS and Gateco, to send text messages and credentials to their email sending servers. (ClearTips did not test or use any password or key as it would be illegal to do so.)
ClearTips contacted Amber Group chief executive Dushyant Savadia, who briefly pulled the exposed file offline, to alert the company to a security lapse. We also asked Savadia, who had no comment, to cancel and change the key.
Matthew Samuda, a minister in Jamaica’s Ministry of National Security, did not respond to comments or requests for our questions – including whether the Jamaican government plans to continue its contract or relationship with the Amber Group, and – If any – security requirements were agreed upon by both the Amber Group and the Government of Jamaica for the JamCOVID app and website?
Exposure details of the days immediately after Escala 24 × 7, a cyberspace company based in the Caribbean, claim that it did not find any vulnerability in the JamCOVID service after an initial security lapse.
Escala chief executive Alejandro Planas declined to say if his company was aware of a second security lapse prior to its comments last week, saying only that his company was under a non-disclosure agreement and ” Not able to provide any additional information. “
This latest security incident comes less than a week after Amber Group hosted a passwordless cloud server with immigration records and negative COVID-19 test results, causing damage to thousands of passengers who had lost a previous Visited the island in the year. Travelers visiting the island are required to upload their COVID-19 test results to obtain travel authorization prior to their flights. Many of the victims whose information was revealed on the server are Americans.
A news report recently quoted Amber’s Savdia as saying that the company developed JamCOVID19 “within three days”.
Neither the Amber Group nor the Jamaican government have commented on ClearTips, but Samada told local radio that it had launched a criminal investigation into the security lapses.
Signal and send suggestions securely on WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. learn more.