By Joseph B.A. Marzan
An Ilonggo Information Technology (IT) professional on social media pointed out that Iloilo City’s contact tracing system, Uswag Tracer, may be susceptible to hacking and data breaches, as some of its contents which were supposed to be accessible only in private were found to be available for public viewing.
The Uswag Tracer was made available online on Nov. 16, 2020 through a website for city residents, non-residents working in the city, and visitors.
Users must input their full names, home addresses, contact numbers and email addresses, and a Quick-Response (QR) code would be sent to their email. The code must be personally presented in all establishments and offices within the city.
This is part of the city’s measures to stop the spread of the coronavirus disease 2019 (COVID-19) pandemic.
PHP Engineer Ramon Alivio, however, made a comment on social media yesterday saying that the website’s Control Panel or Cpanel was accessible to the public even.
Alivio reminded the developers to limit access to known Internet Protocol (IP) addresses such as the library and assets, which he said should only be accessed privately.
He also raised why the domain was registered to Mark Milan Jagunap instead of the city government.
Daily Guardian found that Mark Milan Jagunap was the project team leader of the city government’s QVID contact tracing app, which was launched in August for Iloilo City Hall employees.
Alivio is a ‘Whitehat Security Advisor’ who provides analysis of security of online systems through ‘whitehat hacking’, a form of online hacking used to test the security of web servers.
He shared in an interview with Daily Guardian that he was able to access important ports such as Port 22 or the “shell port” and Port 3306 or the “database port”, through a port scanner application.
Ports are like “doors” into web servers, which provide services like database or shell access, which are protected by a username and password.
The shell port is used to gain root access to the server, which when accessed by a hacker, can give him control of the entire web server.
He hoped that the database port, also known as the “My” Structured Query Language (MySQL) port, was not the port where users’ information were stored.
He said that by gaining access to these ports, the contact tracing site is susceptible to “brute-forcing”, where a hacker submits many passwords until they come up with the correct combinations.
Other ports which he was able to access publicly were Port 21 or the File Transfer Protocol (FTP) server, Port 110 or the Post Office Protocol version 3 (POP3) server, and Port 143 or the Internet Message Access Protocol (IMAP) server.
Another supposedly “private” area which Alivio was able to access through public means is the administrator area, which he says is also susceptible to brute-forcing.
He explained further that gaining access to the important ports of the site would be similar to “entering a house with a combination lock”.
“Ang real-life equivalent sini is, you have a house, your house has no gate. Your main door is locked, but it’s only locked using a combination lock. Anyone from the street can come and touch your lock and make many attempts to open it. Naturally, someone with enough time and patience can eventually unlock your house,” Alivio said in an interview.
Using the access he obtained, Alivio was able to detect his request for the QR code, and was able to replay the request for multiple times.
This would make the contact tracing system’s servers vulnerable to a Distributed Denial-of-Service (DDoS) attack, where cybercriminals can flood the networks with a huge amount of traffic in such a way that it could disrupt the system’s operations.
He suggested that the city government should do “throttling” or regulating the rate of conducting application processing.
“This means someone who has evil intentions can replay the same request millions of times and it will still get recorded to their database and eventually bringing it down. Kibot lang sila pirmi gaka puno basura ila database. There should be throttling, like if a certain IP address has registered 20 or even 50 times, indi naman na siguro mapatihan nga isa ka balay 20 or 50 gid ka tawo ma register,” Alivio said.
Alivio also added that this was in no way related to the end-to-end encryption that the city government stated in a press conference on Monday.
End-to-end encryption refers only to interference between the user’s computer, or other gadgets used, and the servers which the city government houses the data in.
Daily Guardian has reached out to Francis Cruz, Iloilo City Mayor Jerry Treñas’ executive assistant for information technology, for his comment on the tracer’s security issues, but has not yet responded as of this writing.