South African medical data startup LogBox inadvertently exposed account access tokens to the public Internet due to a firewall that was misconfigured. This potentially exposed the personal and private data of doctors and patients who used the platform.
The company has fixed the error, performed a full forensic audit, notified all of the institutions that use LogBox, and forced those whose LogBox accounts may have been affected to change their passwords.
At the start of July, LogBox received international media attention when TechCrunch reported that a security researcher, who goes by Anurag Sen on Twitter, had discovered an unsecured LogBox database containing user access tokens on the Internet.
These tokens could be used to log into LogBox accounts without a password, giving full access to the account.
LogBox’s initial reaction was that TechCrunch’s article was “factually incorrect” and that it was reserving its legal rights against the publication and the security researcher.
Representatives of LogBox have since told MyBroadband that while there are still inaccuracies in the TechCrunch article, they were mistaken about the extent of the data exposure.
“We were wrong with at least one aspect of the TechCrunch article. We now know that there could have been more damage done, but luckily there wasn’t,” a spokesperson for the company said in an interview.
They also wanted to make clear that the database did not contain user account and patient data.
What Anurag Sen found was an Elasticsearch database that contained application logs.
“This was a completely separate utility database only used for performance monitoring,” LogBox said.
The logs stored to this database included ephemeral user access tokens which could be used to access the LogBox accounts of patients and doctors. Under normal circumstances these tokens would only be valid for eight hours, LogBox explained.
When it became aware of the issue, LogBox immediately revoked the access tokens. After fixing the problem it informed affected users and forced those who are most at risk to change their passwords.
LogBox said that while it has received a tremendous outpouring of support from the healthcare professionals and institutions it works with, the potential fallout from the way this vulnerability was reported is tremendous.
“In many respects, LogBox is still a non-profit in that it subsidises work at a private teaching hospital — the only private teaching hospital on the African continent — where it is used in its most extensive capacity,” the company said.
“It’s being used for clinical case collaboration between multiple specialists in a way that isn’t happening anywhere else on the African continent or, for the most part, in the rest of the world either,” stated LogBox.
“This thing is changing how medicine is practised in South Africa. People die because practitioners don’t speak to each other or patients don’t get the right treatment.”
According to LogBox, all of this progress was placed in jeopardy because of the way this disclosure happened.
LogBox suspects foul play
While LogBox told MyBroadband that it has no interest in pursuing legal action against TechCrunch or Anurag Sen, it still believes that both parties may have violated South African and United States law.
“Sen unequivocally committed an offence under the Electronic Communications and Transactions Act and his actions may be unlawful under the Protection of Personal Information Act,” LogBox said.
LogBox also argued that TechCrunch and Anurag Sen may have violated United States law under the Foreign Corrupt Practices Act.
Legal concerns aside, LogBox questioned how such a small business drew the attention of Anurag Sen and TechCrunch.
“LogBox is a tiny, pitiful little business. It does have potential, but it’s small and has been attacked in his infancy,” the company told MyBroadband.
“At some level, we’re flattered by the amount of interest. However, we are thoroughly perplexed by Sen’s interest and TechCrunch’s reporting of it.”
Because of the circumstances, LogBox said that it can’t help but wonder whether someone who means them harm paid for Anurag Sen to search for security vulnerabilities in their platform.
LogBox said it identified three parties who may be interested in cutting down LogBox while it is still in its early stages of development, and who have the network and wherewithal to do it.
“Two of them are private individuals with corporate interests, and one involves a disgraced doctor that used to work at a hospital that is also our single largest user from a hospital group perspective,” LogBox stated.
Its third suspect is a “very large commercial enterprise” in the healthcare industry.
LogBox reiterated that it has “absolutely no plans” to sue TechCrunch and Sen.
“We’re just interested in getting to the bottom of why this happened.”
Anurag Sen responds
MyBroadband asked Anurag Sen whether they were paid to investigate LogBox for security vulnerabilities.
“No, that’s absolutely absurd,” the security researcher said.
“As you know from my profile, I do it to make the Internet a safer place. Also, I work independently.”
Anurag Sen said that there are more than 40,000 exposed servers worldwide. LogBox’s Elasticsearch database was just one of them.
According to the researcher, LogBox’s server came up as part of a web mapping project they were working on.
“I was looking for exposed Elasticsearch databases on the Internet,” Anurag Sen explained.
“These exposed databases occur due to misconfiguration. The server was easily accessible just by typing the IP address and port and it was left without any password.”
Making co-ordinated disclosure easier for security researchers
Asked about the lessons they have learnt from this incident, a spokesperson for LogBox’s parent company, Group Elephant, explained that they are not inexperienced at handling security issues.
Not only do they have an ISA certification about how to handle information security, but they have also had to deal with hacks before.
According to Group Elephant, clients who were targeted in past hacks have told them they handled the incident admirably.
What happened with LogBox was a human failure, the company said.
Anurag Sen sent an e-mail to the LogBox support desk regarding the vulnerability and received a ticket saying that his query would be attended to in short order.
The agent responsible for ticket dismissed it as a hoax and did not take the matter further.
However, Sen told MyBroadband that because he received a support ticket he didn’t try to contact LogBox again. It seemed clear that LogBox had received his message and just weren’t acting on it, so he went to TechCrunch.
As a result of this incident, LogBox said it would make responsible disclosure easier for legitimate security researchers.
However, it also said that just because someone claims to be an ethical hacker that doesn’t make them one.
“If you want to call yourself responsible and ethical, then behave responsibly and ethically,” LogBox said.