Second Security Breach Affects JamCOVID App and Website

Amber Group has addressed a second security vulnerability that resulted in the exposure of private keys and passwords associated with the Jamaican government’s JamCOVID application and website.

Details of the Exposure

A security researcher, choosing to remain anonymous due to potential legal ramifications from the Jamaican government, informed TechCrunch on Sunday about the incident. The Amber Group inadvertently left a file on the JamCOVID website containing credentials that could have provided access to the app and site’s backend systems, storage, and databases.

This file, identified as an environment variables (.env) file, is commonly used for storing sensitive information like private keys and passwords required for cloud application functionality. However, accidental exposure or uploading of such files can be exploited by malicious actors to compromise data or services.

Location and Credentials Exposed

The exposed file was located within an accessible directory on the JamCOVID website. While the JamCOVID domain resides on the Ministry of Health’s website, Amber Group is responsible for the maintenance and control of the JamCOVID dashboard, app, and website.

The file contained confidential credentials for Amazon Web Services databases and storage servers utilized by JamCOVID. It also included a username and password for the SMS gateway used for sending text messages, as well as credentials for the email-sending server. (TechCrunch refrained from testing these credentials to avoid unlawful activity.)

Response and Investigation

Upon being alerted by TechCrunch, Amber Group’s chief executive, Dushyant Savadia, promptly removed the exposed file. A request was also made for the revocation and replacement of the compromised keys, though Mr. Savadia did not provide a comment.

Matthew Samuda, a minister within Jamaica’s Ministry of National Security, did not respond to inquiries regarding the incident. Questions included whether the Jamaican government intends to continue its contract with Amber Group and what security stipulations were established between the two parties for the JamCOVID app and website.

Recent Security Assessments

This disclosure follows a recent statement by Escala 24×7, a Caribbean-based cybersecurity firm, which claimed to have found no vulnerabilities in the JamCOVID service after the initial security lapse.

Alejandro Planas, Escala’s chief executive, declined to confirm whether his company was aware of the second breach prior to their previous comments, citing a non-disclosure agreement that prevents them from releasing further information.

Previous Incident and Development Timeline

This latest security incident occurs less than a week after Amber Group secured a passwordless cloud server containing immigration records and negative COVID-19 test results for a substantial number of travelers to the island over the past year. Travelers are required to upload their COVID-19 test results to obtain travel authorization.

Reports indicate that Amber’s Savadia previously stated that the JamCOVID19 application was developed within a timeframe of just three days.

Current Status

While neither Amber Group nor the Jamaican government has issued a public statement to TechCrunch, Samuda has informed local radio that a criminal investigation into the security lapse has been initiated.

For secure communication, tips can be sent via Signal and WhatsApp to +1 646-755-8849. Files and documents can also be submitted using our SecureDrop. Learn more.