Zack Whittaker reports:
Amber Group has fixed a second security lapse that exposed private keys and passwords for the government’s JamCOVID app and website.
A security researcher told TechCrunch on Sunday that the Amber Group left a file on the JamCOVID website by mistake, which contained passwords that would have granted access to the backend systems, storage and databases running the JamCOVID site and app. The researcher asked not to be named for fear of legal repercussions from the Jamaican government.
The researcher has reason to be concerned. Rather than fully own the first leak, a Jamaican Minister of National Security suggested that Whittaker may have violated the country’s laws, depending on how or how much he looked at exposed data. He announced that they had opened a criminal investigation.
Such threats — often to divert attention from the entity’s embarrassing failures, is referred to as “shooting the messenger” and can have a chilling effect on responsible disclosure. The fact that the researcher who found a second problem did not contact the government directly and felt the need for protection highlights the risk. What if the researcher wouldn’t even take a chance by letting a reporter know about the second problem?
As Whittaker reports:
Details of the exposure comes just days after Escala 24×7, a cybersecurity firm based in the Caribbean, claimed that it had found no vulnerabilities in the JamCOVID service following the initial security lapse.
Escala’s chief executive Alejandro Planas declined to say if his company was aware of the second security lapse prior to its comments last week, saying only that his company was under a non-disclosure agreement and “is not able to provide any additional information.”