Fearing coronavirus, a Michigan college is tracking its students with a flawed app

Nucleus pushed out an updated version of the app on the same day with the keys removed, but did not acknowledge the vulnerability.

TechCrunch also wanted to look under the hood to see how Aura works. We used a network analysis tool, Burp Suite, to understand the network data going in and out of the app. (We’ve done this a few[13] times[14] before[15].) Using our spare iPhone, we registered an Aura account and logged in. The app normally pulls in recent COVID-19 tests. In our case, we didn’t have any and so the scannable QR code, generated by the app, declared that I had been “denied” clearance to enter campus — as to be expected.

But our network analysis tool showed that the QR code was not generated on the device but on a hidden part of Aura’s website. The web address that generated the QR code included the Aura user’s account number, which isn’t visible from the app. If we increased or decreased the account number in the web address by a single digit, it generated a QR code for that user’s Aura account.

In other words, because we could see another user’s QR code, we could also see the student’s full name, their COVID-19 test result status and what date the student was certified or denied.

TechCrunch did not enumerate each QR code, but through limited testing found that the bug may have exposed about 15,000 QR codes.

We described the app’s vulnerabilities to Will Strafach, a security researcher and chief executive at Guardian Firewall. Strafach said the app sounded like a “rush job,” and that the enumeration bug could be easily caught during a security review. “The fact that they were unaware tells me they did not even bother to do this,” he said. And, the keys left in the source code, said Strafach, suggested “a ‘just-ship-it’ attitude to a worrisome extreme.”

An email sent by Albion president Matthew Johnson, dated August 18 and shared with TechCrunch, confirmed that the school has since launched a security review of the app.

We sent Nucleus several questions — including about the vulnerabilities and if the app had gone through a security audit. Nucleus fixed the QR code vulnerability after TechCrunch detailed the bug. But a spokesperson for the company, Tony Defazio, did not provide comment. “I advised the company of your inquiry,” he said. The spokesperson did not return follow-up emails.

In response to the student’s findings, Albion said[16] that the app was compliant with the Health Insurance Portability and Accountability Act, or HIPAA, which governs the privacy of health data and medical records. HIPAA also holds companies — including universities — accountable for security lapses involving health data. That can mean heavy fines or, in some cases, prosecution.

Albion spokesperson Chuck Carlson did not respond to our emails requesting comment.

At least two other schools, Bucknell University[17] and Temple University[18], are reopening for the fall semester by requiring students to present two negative COVID-19 tests through Genetworx. The schools are not using the Aura app, but their own in-house student app to deliver the test results.

Albion students, meanwhile, are split on whether to comply, or refuse and face the consequences. @Q3w3e3[19] said she will not use the app. “I’m trying to work with the college to find an alternative way to be tested,” she told TechCrunch.

Parents have also expressed their anger at the policy.

“I absolutely hate it. I think it’s a violation of her privacy and civil liberties,” said Elizabeth Burbank, a parent of an Albion student, who signed the petition against the school’s tracking effort.

“I do want to keep my daughter safe, of course, and help keep others safe as well. We are more than happy to do our part. I do not believe however, a GPS tracker is the way to go,” she said. “Wash our hands. Eat healthy. And keep researching treatments and vaccines. That should be our focus.

“I do intend to do all I can to protect my daughter’s right to privacy and challenge her right to free movement in her community,” she said.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com

References

  1. ^ whether to open (techcrunch.com)
  2. ^ said in June (www.albion.edu)
  3. ^ would finish (www.albion.edu)
  4. ^ download and install a contact-tracing app (www.albion.edu)
  5. ^ launch a petition (www.change.org)
  6. ^ recent press release (www.prnewswire.com)
  7. ^ contact-tracing apps (techcrunch.com)
  8. ^ bad for privacy (techcrunch.com)
  9. ^ expelled for alleged grade hacking (techcrunch.com)
  10. ^ in an online Q&A (docs.google.com)
  11. ^ @Q3w3e3 (twitter.com)
  12. ^ Gilda (twitter.com)
  13. ^ few (techcrunch.com)
  14. ^ times (techcrunch.com)
  15. ^ before (techcrunch.com)
  16. ^ said (twitter.com)
  17. ^ Bucknell University (www.ncnewsonline.com)
  18. ^ Temple University (www.temple.edu)
  19. ^ @Q3w3e3 (twitter.com)

Source URL: Read More
The public content above was dynamically discovered – by graded relevancy to this site’s keyword domain name. Such discovery was by systematic attempts to filter for “Creative Commons“ re-use licensing and/or by Press Release distributions. “Source URL” states the content’s owner and/or publisher. When possible, this site references the content above to generate its value-add, the dynamic sentimental analysis below, which allows us to research global sentiments across a multitude of topics related to this site’s specific keyword domain name. Additionally, when possible, this site references the content above to provide on-demand (multilingual) translations and/or to power its “Read Article to Me” feature, which reads the content aloud to visitors. Where applicable, this site also auto-generates a “References” section, which appends the content above by listing all mentioned links. Views expressed in the content above are solely those of the author(s). We do not endorse, offer to sell, promote, recommend, or, otherwise, make any statement about the content above. We reference the content above for your “reading” entertainment purposes only. Review “DMCA & Terms”, at the bottom of this site, for terms of your access and use as well as for applicable DMCA take-down request.

Acquire this Domain
You can acquire this site’s domain name! We have nurtured its online marketing value by systematically curating this site by the domain’s relevant keywords. Explore our content network – you can advertise on each or rent vs. buy the domain. Buy@TLDtraders.com | Skype: TLDtraders | +1 (475) BUY-NAME (289 – 6263). Thousands search by this site’s exact keyword domain name! Most are sent here because search engines often love the keyword. This domain can be your 24/7 lead generator! If you own it, you could capture a large amount of online traffic for your niche. Stop wasting money on ads. Instead, buy this domain to gain a long-term marketing asset. If you can’t afford to buy then you can rent the domain.

About Us
We are Internet Investors, Developers, and Franchisers – operating a content network of several thousand sites while federating 100+ eCommerce and SaaS startups. With our proprietary “inverted incubation” model, we leverage a portfolio of $100M in valued domains to impact online trends, traffic, and transactions. We use robotic process automation, machine learning, and other proprietary approaches to power our content network. Contact us to learn how we can help you with your online marketing and/or site maintenance.

1 2

Share