Web doc iCliniq plugs leaky S3 bucket full of medical files

Exclusive Online medical consultation service iCliniq has restricted access to thousands of medical documents it left in a public AWS S3 bucket.

iCliniq acted earlier this week only after the slip-up was brought to its attention by German security researcher Matthias Gliwka. Gliwka approached El Reg after initially failing to get any response to notification emails he sent to the firm.

The global health startup, which is based in India, allows users to ask medical questions in private, to which they can attach private medical info, to be answered by doctors. However, iCliniq stored these private medical documents in a public AWS S3 bucket.

This bucket, according to Gliwka, contained about 20,000 medical documents (such as information on blood screens and HIV tests).

Gliwka was able to establish a connection between the icliniq.com website and the S3 bucket. Test files he uploaded through the website appeared in the same cloud-based system.

He also found a second problem. The German researcher said iCliniq had failed to check for permissions in its web app so every user was able to see every question asked by other members – simply by guessing the ID number of the question. Technically, this is known as an IDOR (Insecure Direct Object Reference) vulnerability.

El Reg ran Gliwka’s findings past UK security researcher Scott Helme, who quickly confirmed iCliniq had a serious breach to resolve.

“They need to get this locked down ASAP,” Helme told El Reg. “The bucket should be easier to fix than the IDOR… but both need work.”

Armed with this confirmation, El Reg joined Gliwka in chasing iCliniq. This wasn’t straightforward, but as soon as we escalated the issue to iCliniq’s chief exec, Dhruv Suyamprakasam, both problems were promptly resolved.

Siddharth Parthiban, iCliniq’s data protection officer, apologised to Gliwka for the organisation’s initial failure to respond to a vulnerability notification.

An internal investigation revealed that medical files of patients of two regions of India, the states of Tamil Nadu and Punjab, that were meant to be open only to lab-testing partners were actually publicly accessible.

“The S3 folder taken for these regions in India must have been moved [from] private,” Parthiban explained in an email. Challenged on this point, the data protection officer reiterated that only Indian data was exposed. “I confirm that ONLY files of the two states in India (Tamil Nadu and Punjab) were public. Files of other regions/countries/continents were/are NOT public,” Parthiban told El Reg.

Once it had confirmed the issue, iCliniq treated the problem as a critical priority and promptly restricted access to confidential medical data. iCliniq promised it would contact the particular patient whose data Gliwka cited as an example. It didn’t offer any commitment to other people whose data was kept in the same previously insecure S3 bucket.

Gliwka confirmed that when he tried to access the confidential repository on Wednesday, access was denied.

“The Amazon S3 bucket no longer publicly lists its contents and the direct links to documents I have the link to are no longer accessible,” Gliwka told El Reg. “The IDOR vulnerability, which allowed to see the private questions of other users, is also fixed.”

Gliwka remains dissatisfied with iCliniq’s response. He’s not convinced that the issue was geographically contained to India and challenged iCliniq on this point.

The Register notes that test documents uploaded by both researchers – Gliwka (in Germany) and Scott Helme (in the UK) – ended up in the same publicly accessible AWS S3 bucket before the firm made the fix. “Your file is definitely accessible by you alone,” iCliniq told Gliwka when he raised this point.

Breach alert

The firm should be notifying everyone whose details were potentially exposed by the breach – not just the handful of files Gliwka and Helme accessed in verifying the problem, and not solely the patient whose file was emailed around by way of example. Ostensibly, even the names of files stored in the repository exposed sensitive information.

“While I believe that you’ve tried to protect those files by setting appropriate ACLs [Access Control Lists], I still had access to other files, even some files regarding data subjects outside of India,” Gliwka told iCliniq in an email shared with The Register. “The file listing did indeed contain sensitive information. Some file names contain the name of a patient combined with the name of a medical test/diagnosis/procedure, i.e. john-doe-hiv-test.pdf, john-doe-cancer.pdf… just with a real name.”

The firm said the files were pseudonymous and did not constitute personally identifiable information.

Gliwka told us: “The system uses the filename provided during the upload and saves it verbatim after prefixing the file id, user id, question id and a random looking value.”

Leaky buckets

Instances of sensitive data being publicly viewable in Amazon-hosted cloud storage are far from rare. The latest breach is arguably the worst of its type since thousands of files containing the personal information of US citizens with classified security clearance were exposed last year.

There has since been a steady stream of such breaches, which shows little sign of letting up. That’s bad enough, but at the same time it is getting easier for interested parties to locate unsecured S3 buckets thanks to automated scripts, as previously reported.

Gliwka came across iCliniq’s bucket in the process of developing a tool to discover breaches of sensitive nature, something he described as a side project. “During the research on how to approach this problem I came across a multitude of buckets with sensitive information,” he said. “Most companies took them down rather quick[ly].”

The UK’s Information Commissioner’s Office has been informed of the breach. ®

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE