Crime and neighborhood watch app Citizen, which also launched a COVID-19 contact-tracing feature and broader citywide COVID surveillance program, exposed users' COVID-related data to the public internet, allowing anyone to view specific users' recent self-reported symptoms, test results, and whether their device had recorded any close contacts with other people using the feature. The information is directly linked to a person's username, which often is the person's full name.
The news highlights a haphazard security decision by Citizen. The company also recently put a bounty of $30,000 for information that would lead to the arrest of a person who turned out to have not committed a crime, and, as Motherboard reported, is planning a dramatic expansion into offering an on-demand private security force.
"5 Bluetooth contacts," one of the exposed pieces of COVID data reads. "0 Symptoms Reported Today," and "No Current Test Results Provided" other parts of the one person's exposed COVID datas. Citizen told Motherboard that the data included "share cards," images of a user's COVID information that are designed to be shared either by the user on social media or with their family and friends. Citizen exposed the data to the wider public, however.
Do you work at Citizen? Do you have access to internal Citizen documents? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
As well as its ordinary crime reporting app, Citizen also offers "SafePass," its own contact-tracing program.
"With SafePass, you can track your symptoms, find testing sites, and enable Bluetooth contact tracing to get alerted when you’re exposed to COVID-19. If you need to meet with people outside your household for work or other essential reasons, create Pods together so you can stay aware," Citizen's website reads. Last year Los Angeles announced a partnership with Citizen to use SafePass.
The exposed data relates to the SafePass feature, with the URL of the website hosting the data including the phrase "safepass-generator."
A source who said they affiliate themselves with the hacking collective Anonymous pointed Motherboard to the exposed Citizen COVID data. When Motherboard viewed the data, it contained around 1,000 pieces of COVID data. It is not clear whether the data updates over time or how many users it impacted in total, however.
Shortly after Motherboard approached Citizen for comment, the exposed data became inaccessible. A Citizen spokesperson told Motherboard in a statement that "Users who participate in SafePass have the choice to create a public profile card that includes their name, photo, and self-reported COVID-19 symptoms or test results—it is designed to be shared on social media or shared with friends and family as part of our contact tracing app."
"We recently learned that a limited number of public share cards had been exposed in a data breach and immediately disabled the database to prevent unauthorized access. We have engaged an external security firm to work with our internal team to investigate the scale and scope of who could have accessed public, self-reported share cards," the statement added.
Subscribe to our cybersecurity podcast CYBER, here.