Contact Tracing App in Qatar Exposed Data of 1 Million People, Amnesty International Says

An Amnesty International investigation found that a security flaw in Qatar’s contact tracing app exposed personal details of over 1 million people.

Contact tracing via smartphones and other devices could be the new norm, but the privacy issues raised by such apps shouldn’t be ignored. Worst-case scenarios range from companies using health data for other purposes or selling it to poorly designed apps that can be hacked or that don’t secure the data correctly.

Unfortunately, this is exactly what happened with Qatar’s tracing app, which had a critical vulnerability that would have given attackers access to private information, including names, national ID, health status, and location data.

“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited,” said Claudio Guarnieri, head of Amnesty International’s Security Lab. “This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday.”

It took the Qatari authorities less than a day to fix the security issues, but there’s no guarantee that other vulnerabilities don’t exist.

The use of the application is mandatory in the small state. The problem is all the more complicated as the EHTERAZ app uses both GPS and Bluetooth data, allowing authorities to find and identify any user immediately.

Google and Apple collaborated to develop a common API that would allow iOS and Android devices to communicate between them and offered that solution to health authorities and government from all over the world. But that API doesn’t allow developers to use GPS location as well, which means some countries will continue to make and use their own apps.