The Amber Group has reportedly fixed a second security lapse, that exposed private keys and passwords for the Government’s JamCOVID app and website.
American technology based newspaper, TechCrunch, alleges that it was informed by a security researcher on Sunday, that a file was left on the JamCOVID website by mistake which contained passwords that would have granted access to the backend systems, storage and databases running the JamCOVID site and app.
The researcher reportedly asked not to be named for fear of legal repercussions from the Jamaican Government.
TechCrunch says this file, known as an environment variables (.env) file, is often used to store private keys and passwords for third-party services that are necessary for cloud applications to run.
But these files are sometimes inadvertently exposed or uploaded by mistake but can be abused to gain access to data or services that the cloud application relies on if found by a malicious actor.
TechCrunch says the exposed environmental variables file was found in an open directory on the JamCOVID website, although the JamCOVID domain appears to be on the Ministry of Health’s website, Amber Group controls and maintains the JamCOVID dashboard, app and website.
It says the exposed file contained secret credentials for the Amazon web services databases and storage servers for JamCOVID.
TechCrunch says the file also contained a username and password to the SMS gateway used by JamCOVID to send text messages and credentials for its email-sending server.
The news company said it contacted Amber Group’s Chief Executive Dushyant Savadia to alert the company to the security lapse, who pulled the exposed file offline a short time later.
It says details of the exposure come just days after a cybersecurity firm based in the Caribbean, claimed that it had found no vulnerability in the JamCOVID service following the initial security lapse.
This latest security incident comes less than a week after another incident that is being investigated.