WiredJA Online News posted an article on February 22, 2021, about the second breach of Jamaica’s JamCOVID site. Below are some key highlights:
- According to TechCrunch, the second lapse has since been fixed by the Amber Group, the contractors who built the website
- “a security researcher told TechCrunch on Sunday that the Amber Group left a file on the JamCOVID website by mistake, which contained passwords that would have granted access to the backend systems, storage and databases running the JamCOVID site and app.”
- The TechCrunch story explained that “this file, known as an environment variables (.env) file, is often used to store private keys and passwords for third-party services that are necessary for cloud applications to run
- It was noted that “the exposed environmental variables file was found in an open directory on the JamCOVID website
- The file contained a username and password to the SMS gateway used by JamCOVID to send text messages, and credentials for its email-sending server.”
Reference(s):