Aarogya Setu: The story of a failure - French Hacker

French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, has yet again found a flaw in the Aarogya Setu, a mobile application developed by the Indian government to trace the spread of Covid-19 among the population.

According to Baptiste, anyone with the right technical know-how can find out the Covid-19 status of a given area by exploiting a flaw that allows users to set a location within the Aarogya Setu application. Using the flaw, Alderson was able to find that five people each in the Prime Minister’s Office (PMO) and defence ministry who had reported that they were feeling unwell today (May 06).

The cybersecurity expert also said that inside the Indian Parliament, an individual updated their status to infected while two people said they were feeling unwell. He also found that two people had selected the unwell option inside the Indian Army headquarters in New Delhi.

Inc42 has written to the team working on Aarogya Setu for a response. We would be updating the story as soon as there’s a response.

Quick Summary in Elliot Alderson’s medium.com page


India has so many Big IT Companies but Cannot Develop a Secure app For It’s people Disappointing :face_with_raised_eyebrow: :thinking:

1 Like

Read it carefully , it was made by the govt. If something is made by the govt, it would be full of flws for sure, weather its an app or a road or a bridge.


but being able to find such people isn’t this the job of this application similarly i hacked pokemon go using gps coordinates to reach all locations if i can change my gps i can see all people in that location similaly it think it is not a hack but privacy matter while this should be visible to public having those gps coordinates

I don’t know why this has become a very sought after topic ? Rules are made to be broken and so are the apps. Big companies like Google, Facebook run bug bounty programs to patch their flaws. So it will be patched. And if people are conserned about their data privacy then they really should shut the f*** up if they are using Google or Facebook.


Yeah we have but mass programmers not productive programmers ! In college students are mostly mugging up :kissing: