Wiqaytna (وقايتنا) Disclosure

November 2020
PDF Slides Video

Description

A Major vulnerability has been discovered during the security assessment of Morocco’s COVID-19 Mobile Tracing Application Wiqaytna.

It concerns a core component of the application (Authentication) and can be classified under A2:2017-Broken Authentication in OWASP Top Ten or CWE-287: Improper Authentication in Common Weakness Enumeration.

A malicious actor can leverage this vulnerability of bypassing the second step of authentication (OTP to a phone number) to potentially impersonate and register to the platform as any given phone number.

Depending on the data treatment behind the scenes on the platform, the impact could range from poisoning the COVID-19 Tracing dataset to real-life consequences as creating an artificial cluster targeting a person of interest or a rival company.

The vulnerability has been scored using the CVSS v3.1 risk assessment framework and can be summarize as follow:

Responsible Disclosure

[1.0] - 2020-11-23

  • Anonymisation and public disclosure

[0.7] - 2020-08-23

  • Final Response 2020-08-23
  • Initial Response 2020-07-23

[0.5] - 2020-07-17

  • Urgent Security Advisory with PoC Issued

[0.3] - 2020-07-11

  • Anamnesis & Static Diagnostic Completed

[0.1] - 2020-06-20

  • Started Analysis
disclosure
H.A.T
H.A.T
Gentleman {Entrepreneur, Researcher}

H.A.T is an independent researcher that describes himself as an InfoSec Kepo, curious about playing with computers since his Moroccan early ages.