Information Technology expert Shawn Wenzel
US online publication TechCrunch is reporting the discovery of a second security lapse on the JAMCOVID-19 website.
In a report on Monday, it said Amber Group has fixed a second security lapse which exposed private keys and passwords for the app and website.
TechCrunch said a security researcher told the online paper on Sunday, the Amber Group left a file on the JAMCOVID-19 website by mistake, which contained passwords that would have granted access to the backend systems, storage, and databases running the site and app.
It said the researcher asked not to be named fearing legal repercussions from the Jamaican government.
According to TechCrunch, it contacted Amber Group to alert it about the security lapse and the company pulled the exposed file offline a short time later.
Last week, the newspaper revealed a weakness on the website and app, which it said left hundreds of thousands of travelers' data exposed.
The government has countered saying only about 700 travellers were affected and it has since launched an investigation into the breach.
An Information Technology expert has told Radio Jamaica News that based on information and screenshots released by TechCrunch, security was overlooked in the development of the JAMCOVID-19 website and app.
Shawn Wenzel says there were not enough limits on what user accounts could do.
"There’s something we have in IT called the principal of leased privilege, which basically means that when you’re setting up an app like that there’s a hidden user account that the app is using to talk to its server…There are ways someone could uncover those credentials,” he explained.
Mr. Wenzel also said it is very important this user account is locked down “so that it can only do the bare minimum of what it needs to do for the app to function”.
In this case, he added the “what it needs to be able to do is deposit the files into the repository but…it shouldn’t be able to read them from that repository”.
Mr. Wenzel also said the settings should have been adjusted so that files would automatically be deleted after a certain period of time.
He referred to a stipulation for the app which stated files would be deleted after traveler’s quarantine period had ended.
“There’s an automated setting in Amazon that would actually do that. They [the developers] just had to have turned that on and it’s called Lifecycle…The files would’ve just automatically disappeared after 21 days but that obviously wasn’t done either,” Mr. Wenzel said.