TechCrunch published an article on February 22, 2021, about Amber Group fixing a second JamCOVID security lapse. Here’s a summary:
- The Amber Group has fixed a second security lapse that exposed private keys and passwords for the Jamaican Government’s JamCOVID application and website. The group mistakenly left a file on the JamCOVID website, which contained passwords that grant access to the backend systems, storage, and databases running the JamCOVID site and app.
- The file, known as Environment Variables (.env) file, is often used to store private keys and passwords for third-party services necessary for cloud applications to run. This file can be used to gain access to data or services that the cloud application relies on if found by malicious actors.
- The file was found in an open directory on the JamCOVID website and contained secret credentials for the Amazon Web Services databases and storage servers for JamCOVID. The file also contained a username and password to the SMS gateway used by JamCOVID to send text messages and credentials for its email-sending server.
- TechCrunch contacted Amber Group’s CEO to alert the company to the security lapse, and the exposed file was pulled offline soon after. Matthew Samuda, a minister in the Ministry of National Security in Jamaica, did not respond to a request for comment or questions.
- This incident comes less than a week after Amber Group secured a passwordless cloud server hosting immigration records and negative COVID-19 results for thousands of travellers who visited the island over the past year.
- There was no comment to TechCrunch from the Jamaican Government or Amber Group. Still, Samuda stated on the local radio that a criminal investigation had been launched into the security lapse.
Contributed by Racquel Bailey from Jamaica. Racquel is a member of our Women in InfoSec Caribbean (WISC) initiative on Discord. WISC is a non-profit initiative supporting Caribbean women and girls to develop a career in Information Security.
Learn more about WISC at wiscaribbean.org.