Over 14,000 covid test patients were affected by a data leak in Germany this week. This was due to the testing centre software using incremental identifiers in their custom WordPress REST API endpoint.
According to the researchers, a company in Germany named Eventus Media International (EMI) was found to operate the test centres using customised WordPress installations.
/wp-json/wp/v2/registration/ API endpoint would return data in JSON format, including a 10 digit number. Which also happens to be the patient’s covid test numbers used to retrieve their test results.
The leaked 10 digit codes could then be entered into the website to retrieve the patient’s covid test results, which also included a lot of other personal information, such as the patient’s name, address, date of birth, phone number and more.
On top of that, there was no rate limiting in place. Allowing a potential attacker to cycle through all the patient data without anything trying to stop them.
Once made aware of the issue, Eventus Media International (EMI) fixed the security vulnerability on the same day. Now they require the user’s name or email address, as well as the 10 digit code. And all previous codes were changed.
This is the second time the researchers have found serious security issues in covid test centre software.
The vulnerability in this instance was not due to WordPress itself, but instead, a custom REST API endpoint. The vulnerabilities were business logic issues, Insecure Direct Object Reference (IDOR) and the lack of rate-limiting.
WPScan Founder & CEO, Ryan Dewhurst, notes:
It is very unlikely that a WordPress security plugin would have prevented the attack. Keeping your WordPress websites and their plugins up to date certainly helps, but would not have prevented the attack either. In this case, the only way the attack could have been prevented was better security within the design phase of the software development and subsequent penetration testing.
If you need WordPress penetration testing services, get in touch. We have a dedicated team of WordPress security professionals each with 10+ years of security testing experience.