Personal data including home numbers, names, addresses, date of births and email addresses were published on the open web, exposing it to anyone, including ad trackers on the store’s site.
MILLIONS of patients could have had their private information leaked through Walgreens’ Covid testing system, according to a new report.
The personal data of millions, including home numbers, names, addresses, date of births and email addresses were published by Walgreens on the open web
The personal data of millions, including home numbers, names, addresses, date of births and email addresses were published by Walgreens on the open webCredit: Getty Images – Getty
In some cases, even the results of Covid tests were posted on the open web, as reported by Recode.
Security experts told the site the weaknesses on Walgreens’ website are basic and should have been easily avoidable.
They stem from the company’s Covid test appointment registration system, which gives a unique 32-digit ID number to every patient who submits a form to get a test.
Once patients submit the form, they are sent to a new an appointment request page, which includes the unique ID in the URL.
There are no personal verification steps or requirements so anyone with the link can see the page, which stays active for as long as six months and even longer.
KHLO NO! Khloe Kardashian ‘banned from Met Gala for being too C-list’ CHEEKY LOOK Megan Fox flaunts butt in sheer dress & THONG as Travis & Kourtney pack on PDA
More than 6,000 Walgreens testing sites used this registration system, so millions of unique IDs have been created. This ID offers many ways for hackers to steal the personal data of these patients, as they can create bots that generates countless URLs in order to hit an active page containing private information and use that information to try to hack their accounts on other sites.
Experts say, however, that it would be close to impossible for hackers to find active pages this way, because of the number of characters in the unique IDs and possible combinations. But anyone who has access to a patient’s browsing history could potentially access the page and thus the private information.
While only the patient’s name, type of test, and appointment time and location are visible on the public page, Walgreens requires someone’s full name, date of birth, phone number, email address, mailing address, and gender identity to register for an appointment. It’s unclear how long Walgreens’ registration system has had these issues, but the company started offering Covid testings in April 2020
It’s unclear how long Walgreens’ registration system has had these issues, but the company started offering Covid testings in April 2020Credit: Getty
And all of that data can be accessed in a browser’s developer tools panel. Moreover, to get the results of a Covid test through at least one of Walgreens’ lab partners’ portals, all someone needs is the “orderId” and the name of the lab that performed the test.
For Latest News Follow us on Google News
- Show all
- Trending News
- Popular By week