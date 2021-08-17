U.S. markets close in 3 hours 45 minutes

  • S&P 500

    4,438.72
    -40.99 (-0.92%)
     

  • Dow 30

    35,292.11
    -333.29 (-0.94%)
     

  • Nasdaq

    14,610.69
    -183.07 (-1.24%)
     

  • Russell 2000

    2,167.67
    -35.75 (-1.62%)
     

  • Crude Oil

    67.15
    -0.14 (-0.21%)
     

  • Gold

    1,785.00
    -4.80 (-0.27%)
     

  • Silver

    23.65
    -0.14 (-0.59%)
     

  • EUR/USD

    1.1721
    -0.0059 (-0.50%)
     

  • 10-Yr Bond

    1.2600
    +0.0030 (+0.24%)
     

  • GBP/USD

    1.3742
    -0.0101 (-0.73%)
     

  • USD/JPY

    109.5600
    +0.2800 (+0.26%)
     

  • BTC-USD

    45,870.61
    -567.00 (-1.22%)
     

  • CMC Crypto 200

    1,163.28
    -18.07 (-1.53%)
     

  • FTSE 100

    7,181.11
    +27.13 (+0.38%)
     

  • Nikkei 225

    27,424.47
    -98.72 (-0.36%)
     

A bug in a medical startup's website put thousands of COVID-19 test results at risk

Zack Whittaker
·3 min read

A California-based medical startup that provides COVID-19 testing across Los Angeles has pulled down a website it used to allow customers to access their test results after a customer found a vulnerability that allowed access to other people's personal information.

Total Testing Solutions has ten COVID-19 testing sites across Los Angeles, and processes "thousands" of COVID-19 tests at workplaces, sports venues, and schools each week. When test results are ready, customers get an email with a link to a website to get their results.

But one customer said they found a website vulnerability that allowed them to access other customers' information by increasing or decreasing a number in the website's address by a single digit. That allowed the customer to see other customers' names and the date of their test. The website also only requires a person's date of birth to access their COVID-19 test results, which the customer who discovered the vulnerability said "wouldn't take long" to brute-force, or simply guess. (That's just 11,000 birthday guesses for anyone under age 30.)

Read more on TechCrunch

Although the test results website is protected by a login page that prompts the customer for their email address and password, the vulnerable part of the website that allowed the customer to change the web address and access other customers' information could be accessed directly from the web, bypassing the sign-in prompt altogether.

The customer passed on details of the vulnerability to TechCrunch to get the vulnerability fixed before someone else finds it or exploits it, if not already.

TechCrunch verified the customer's findings, but while we did not enumerate each result code, through limited testing found that the vulnerability likely put around 60,000 tests at risk. TechCrunch reported the vulnerability to TTS chief medical officer Geoffrey Trenkle, who did not dispute the number of discovered tests, but said the vulnerability was limited to an on-premise server used to provide legacy test results that has since been shut down and replaced by a new cloud-based system.

"We were recently made aware of a potential security vulnerability in our former on-premises server that could allow access to certain patient names and results using a combination of URL manipulation and date of birth programming codes," said Trenkle in a statement. "The vulnerability was limited to patient information obtained at public testing sites before the creation of the cloud-based server. In response to this potential threat, we immediately shut down the on-premises software and began migrating that data to the secure cloud-based system to prevent future risk of data breach. We also initiated a vulnerability assessment, including the review of server access logs to detect any unrecognized network activity or unusual authentication failures."

Trenkle declined to say when the cloud server became active, and why the allegedly legacy server had test results as recently as last month.

"Currently, TTS is not aware of any breach of unsecured protected health information as a result of the issues with its prior server. To our knowledge, no patient health information was actually compromised, and all risk has been mitigated going forward," said Trenkle.

Trenkle said the company will comply with its legal obligations under state law, but stopped short of explicitly saying if the company plans to notify customers of the vulnerability. Although companies aren't obliged to report vulnerabilities to their state's attorney general or to their customers, many do out of an abundance of caution since it's not always possible to determine if there was improper access.

TTS chief executive Lauren Trenkle, who was copied on an email chain, did not comment.

Fearing coronavirus, a Michigan college is tracking its students with a flawed app

Recommended Stories

  • ‘Stand to the side’: Taliban order female CNN reporter to get out of their way

    Amid ‘chilling reports’ of abuses by the Taliban, Clarissa Ward ordered to ‘step aside’

  • Afghan reporter becomes emotional at Pentagon briefing as she demands to know where her president fled to

    Nazira Karimi fought back tears as she angrily questioned Biden administration

  • The defining image of Biden's Afghanistan exit

    Above, you see hundreds of desperate Afghans running alongside a U.S. Air Force C-17 transport plane as it took off from Kabul yesterday.Driving the news: The amateur video played around the world, and this photo is atop front pages across America, making it a defining image of the exit debacle — and, many Democrats fear, Joe Biden's presidency. Get market news worthy of your time with Axios Markets. Subscribe for free.A legendary Democratic operative, and strong Biden supporter, told me: "Ameri

  • U.S. Democrats ride trains, buses to spotlight spending push

    U.S. Democrats are riding buses and trains and holding roundtable discussions this summer as they make the case that a government spending blitz backed by President Joe Biden is improving voters' lives ahead of 2022 congressional elections. In New Jersey last week, Representative Tom Malinowski rode a train with Transportation Secretary Pete Buttigieg to highlight the benefits of a $1 trillion infrastructure package that he said would upgrade train service, roads and bridges and water pipes in the state. "There's not a town among the 75 towns I represent that won't benefit in some way," Malinowski said at a news conference in the town of Westfield, a New York City suburb.

  • George W. Bush expresses "deep sadness" over Taliban takeover of Afghanistan

    Former President George W. Bush said late Monday that he and former first lady Laura Bush had "been watching the tragic events unfolding in Afghanistan with deep sadness."Why it matters: Bush ordered the 2001 invasion of Afghanistan to oust the Taliban and deny al-Qaeda of a safe haven to launch any more terrorist attacks on the U.S. following 9/11. He said last month that President Biden's decision to pull U.S. troops from Afghanistan would leave Afghan women and girls facing "unspeakable harm.

  • Cardano’s ADA Token Is Now World’s Third-Largest Cryptocurrency

    (Bloomberg) -- A little-known digital token linked to the Cardano blockchain has just become the third-largest virtual currency in the world as network developers look to ride the boom in decentralized finance.With the so-called ADA cryptocurrency jumping around 50% over the past week alone, optimism is rising that new technological enhancements will allow smart contracts on Cardano by its announced goal of Sept. 12. That will enable its network to offer lucrative services like DeFi, where Ether

  • Bitcoin ATMs and the Road to Adoption

    At least for now, crypto in Puerto Rico is less about doing business than about education.

  • Poly Network Hack Not Over as Attacker Prolongs Return of Funds

    The attacker now says they are considering accepting the $500,000 bounty offered by Poly Network as a reward for returning the funds, and using it to pay anyone else who can hack the DeFi site.

  • Ethereum staking comes to Ledger hardware products

    Ledger Live – the Lido staking service – has been extended to Ethereum holders, allowing staking on the platform in anticipation of Ethereum 2.0.

  • Privacy Without DeFi Is Boring, DeFi Without Privacy Is Predatory

    Developers have traded riches for user privacy. It's time to return crypto to its roots.

  • Digerati Offers Transformational Telecom Technology

    Photo provided by Digerati Small to medium-sized businesses are the backbone of the economy, which is why it’s always exciting to discover companies that are enabling their growth by providing innovative technology solutions. This is the case with Digerati Technologies, Inc. (OTCQB: DTGI), a telecom and technology provider of cloud-based communication network solutions. The Company specializes in Unified Communications as a Service (UCaaS) solutions, which combines Internet-based phone and messa

  • Best VPN deals for August: Pay less for privacy with discounts on ExpressVPN, NordVPN and more

    Whether you’re looking for software for your phone or laptop, snap up one of these discounts

  • Polygon acquires Hermez network

    The Polygon network has revealed it will be acquiring and merging with ZK-Rollups’ start-up Hermez network in a $250m move aimed at conglomerating Ethereum scaling technology.

  • T-Mobile investigating claims of customer data breach

    (Reuters) -T-Mobile is investigating a claim on an online forum post which says the personal data of over 100 million users have been breached, the company said. U.S.-based digital media outlet Vice first reported https://www.vice.com/en/article/akg8wg/tmobile-investigating-customer-data-breach-100-million the claims of a data breach. According to the report in Vice's Motherboard, the forum's post does not mention T-Mobile, but the hacker told Vice they have obtained data of over 100 million people and that the data came from T-Mobile servers.

  • Figment Raises $50M to Build Up Proof-of-Stake Infrastructure

    The funding round included participation from Anchorage Digital, Galaxy Digital, and 10T Ventures.

  • Walmart Looks to Hire Cryptocurrency Expert

    The retailer has posted a headquarters job that would entail developing a digital-currency strategy.

  • Baffle lands $20M Series B to simplify data-centric encryption

    California-based Baffle, a startup that aims to prevent data breaches by keeping data encrypted from production through processing, has raised $20 million in Series B funding. Baffle was founded in 2015 to help thwart the increasing threats to enterprise assets in public and private clouds. Unlike many solutions that only encrypt data in-transit and at-rest, Baffle’s solution keeps data encrypted while it's being processed by databases and applications through a "security mesh" that de-identifies sensitive data that it claims offers no performance impact to customers.

  • Economy Week Ahead: Retail Sales, Industrial Output, Fed Minutes

    Markets this week will focus on U.S. retail sales and minutes from the Federal Reserve’s July policy meeting.

  • Shopistry bags $2M to provide ‘headless commerce without the headaches’

    Canada-based Shopistry wants to turn the concept of headless commerce, well, on its head. On Monday, the e-commerce startup announced $2 million in seed funding to continue developing its toolkit of products, integrations, services and managed infrastructure for brands to scale online. Jaafer Haidar and Tariq Zabian started Shopistry in 2019.

  • A Week Later, Investors Remain Unfazed by DeFi’s Largest Crypto Hack

    As massive computer theft goes, last week's hack of the Poly Network was about as benign as they come -- even though the thieves stole more than $600 million in cryptocurrency. See: Is Crypto Safe...