Share this article on:
The personal data of individuals who took a COVID-19 test at a Walgreens pharmacy has been exposed over the Internet due to vulnerabilities in its COVID-19 test registration system.
It is currently unclear how many individuals have been affected, although they could well number in the millions given the number of COVID-19 tests Walgreens has performed since April 2020. It is unclear when the vulnerabilities were introduced on the website, but they date back to at least March 2021 when they were discovered by Interstitial Technology PBC consultant Alejandro Ruiz. He identified a security error when a member of his family had a COVID-19 test performed at Walgreens. Ruiz contacted Walgreens to alert them to the data exposure, but claimed the company was not responsive.
Ruiz spoke to Recode about the issue, which had the security flaws confirmed by two security experts. Recorde reported the issue to Walgreens, and the company said, “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate.” However, as of September 13, 2021 the vulnerabilities had not been addressed.
Recode reports that using the Wayback Machine, which contains an archive of the Internet, it was possible to see blank test confirmations dating back to July 2020, indicating the vulnerabilities have been present since at least then.
According to the security researchers, the vulnerabilities were the result of basic errors in the Walgreens’ Covid-19 test appointment registration system. When a patient completes an online form, they are assigned with a 32-digit ID number and an appointment request form is created which has the unique 32-digit ID number in the URL. Anyone who has that URL is able to access the form. There is no need to authenticate to view the page.
The pages only contain a patient’s name, type of test, appointment time and location in the visible portion, but through the developer tools panel of a web browser it is possible to access other data, including date of birth, address, email address, phone number, and gender identity. Since the OrderID and the name of the lab that performed the test is also included in the data, it would be possible to access the test result, at least at one of Walgreens’ lab partners’ test result portals.
An active page could be viewed by an unauthorized individual if using a computer of someone who had booked a test via their Internet history. An employer, for instance, could view the information if the page was accessed on a work computer. The data would also be accessible to the third-party ad trackers present on the Walgreens appointment confirmation pages. Researchers note that the confirmation pages have ad trackers from Adobe, Dotomi, Facebook, Akami, Google, Monetate, and InMoment, all of which could potentially access private information.
The URLs of all confirmation pages are the same aside from the unique 32-digit code contained in a “query string”. The researchers said there are likely millions of active appointment confirmation pages since Walgreens has been conducting COVID-19 tests at around 6,000 sites across the United States for almost 18 months.
The researchers suggested a hacker could create a bot to generate 32-digit identification numbers, add them to URLs, and then identify active pages. Considering the number of digits in the URL that would be a lengthy task, but it is not beyond the realm of possibility.
“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” said Ruiz to Recode. “It’s just another example of a large company that prioritizes its profits over our privacy.”