do son 
Source: CloudSEK
A recent investigation by CloudSEK’s BeVigil platform has revealed critical vulnerabilities in the API infrastructure of a prominent diagnostic chain, exposing sensitive personal and medical data of potentially millions of users. The vulnerabilities stem from a publicly accessible JavaScript file containing sensitive API keys, authentication tokens, and unsecured endpoints.
“This file contained sensitive API keys, authentication tokens, and unsecured endpoints, granting unauthorized access to critical systems,” the report states.
Among the key findings, BeVigil’s Web App Scanner identified exposed personal information such as names, addresses, mobile numbers, and medical reports accessible without proper authentication. Misconfigured ABHA accounts allowed attackers to take over accounts or create fraudulent profiles. Flaws in both Admin and Live APIs left the client vulnerable to exploitation, risking the integrity of sensitive user data.
One of the most concerning issues was the exposure of medical reports through the Live API. By utilizing a combination of the patient’s lab number and last name, which could be extracted from the Admin API, unauthorized access to detailed personal health information was possible.
“The PDF reports contained critical personal information such as the patient’s full name, contact number, medical condition with a detailed report, and invoice-related details,” the report reveals.
Adding to the alarm, the use of sequential lab numbers meant that with minimal effort, unauthorized individuals could access the medical reports and personal data of potentially millions of users.
Furthermore, an issue within the email feature allowed messages to be sent to any email address, with the ability to customize the subject and content. This weakness could be exploited for phishing attacks, potentially leading to further harmful actions.
The implications of these vulnerabilities are far-reaching, including unauthorized data access, identity theft, healthcare liability, patient safety risks, and erosion of trust in healthcare systems.
Organizations must ensure that APIs are properly configured and secured to protect sensitive data and maintain user trust.
