Francetest says the security incident that led to the personal data leaking of 700,000 people is “closed”. To make such a constant, the antigen test manager site must provide technical evidence.
Tuesday, August 31, Mediapart revealed a data leak linked to antigenic tests, impressive both in terms of its volume and the amount of information on each person concerned. The personal data entered by more than 700,000 patients were displayed on a page of the Francetest site, itself accessible without a password or technical manipulation. You just had to enter a certain URL, common for a site edited on WordPress (one of the most used site creation software), and download the files.
Created in June 2021, Francetest presents itself as a manager of antigenic tests, and has convinced more than 600 pharmacies to use its service. Concretely, it generates the online form to be completed by the patient, and automates the sending of the results to the government platform, SI-DEP, which will certify them.
The day after the revelations, Francetest, whose founder Nathaniel Hayoun is quoted in the Mediapart article, issued a public statement posted on its site. The company explains that it would have taken ” the necessary technical measures “To correct the flaw, and that it would” calls on cybersecurity experts To reassess the security of its servers.
Regarding patient data, FranceTest is optimistic: “ To date, there is no evidence that the personal information of patients or pharmacists has actually been leaked. At this point, we consider this to be only a warning of an existing flaw that we remedied immediately as soon as we became aware of it. “
This defense is surprising, because there has indeed been a leak. Numerama, contacted by the person behind the discovery of this big problem, was in turn able to confirm the information from Mediapart. Multiple CSV files [un format de classeur qui peut être ouvert avec Microsoft Excel, Open Office Calc ou encore Google Sheet], which we consulted, were easily accessible without any identifier. They contain the information filled in by the patients in the form distributed upstream of the antigenic tests: last name, first name, social security number, gender, address, email, telephone number and date of birth. They also display information added by pharmacists such as the type of test and its result.
Now the question is no longer whether there was a leak, but how many people were able to access it. What if, among them, there were malicious individuals who could exploit the data or resell it. Asked by Numerama about the details of the technical verifications carried out to ensure that no patient data has been retrieved by an outside person, Francetest has so far not responded.
Francetest relies on the ideal scenario, but not very credible
The case of Francetest ranks among the ideal scenarios, since the leak was discovered at the source. The person behind the find notified the Mediapart reporter, who contacted the company himself. The company thus had time to repair the problem, and to close access to the data, even before the incident became public.
Conversely, many leaks are only discovered when data is traded on black markets. This was the case, for example, earlier in the year with data from French laboratories. There is no doubt then: the leak has benefited malicious people and more or less many people have tried to exploit it, for example to send phishings or to try to steal online accounts. In this disaster scenario, even if the leak is plugged, the data will remain forever exposed on the internet.
However, to start from the assumption that the benevolent person is the first to have found the fault is an optimistic, even idealistic vision, of the functioning of the Internet. All the more so when the leak is so easy to find and has been dragging on for several weeks, which is clearly the case with that of Francetest. By comparison, last year, Comparitech researchers carried out an experiment on a poorly protected ElasticSearch server, a source of leak well known to hackers, both ethical and criminal. In barely 9 hours, a person had found the base, and 2 weeks later at the end of the experiment, more than a hundred had connected to it and had downloaded or modified the base.
Anyone could access the gaping leak
” The Francetest error is extremely common. It’s not really a flaw, but more forgetting a good practice », Evaluates the hacker Adrien jeanneau, interviewed by Numerama. When a developer creates the directory of his site, he must, in principle, put a file there that will prevent access to outsiders. If he forgets it, like Francetest, then this index will be accessible to anyone: to humans, but also to bots [de petits programmes informatiques, ndlr]. Result, the bots of Google and other search engines, responsible for referencing all the internet pages, will have access to it. In other words, the page that contains the leak, if exposed for too long, will eventually be found on search engines.
Then, by a simple “dork”, that is to say a precise search which exploits the functionalities of the search engine, it is possible to find the exposed WordPress indexes, and hackers can specifically target this kind of leak. Fortunately, many WordPress sites do not store valuable information, which decreases the interest of criminals in this type of dork, to the profit of others like those targeting Elasticsearch. The fact remains that this operating mode means that a malicious actor could have found the leak “by chance”, without knowing Francetest, just by looking for the type of leak.
A hacker would have immediately found the leak
Likewise, any hacker who opened the Francetest site would have immediately found the flaw. When they inspect a site, hackers start by running a “scanner”, a small tool that will evaluate the site’s configuration, and take a tour of its defenses in some way. Gold, ” any basic scanner would have traced the leak », Says Adrien Jeanneau. Moreover, you don’t even need to be specialized to find the flaw, you just need to know how WordPress works. For example, the discoverer simply deleted a piece of the URL from their test results to access it.
This ease of access to the flaw is surprising, especially since the site displays that its data is stored on an Amazon Web Services server, with reinforced protections, certified as a health data host (HDS). ” Amazon cannot be held responsible in this case. “, Sweeps Adrien Jeanneau,” if the site setup is not correct, it doesn’t matter what is behind it. “
How to ensure that no one has obtained personal data?
You will understand: if there is a scenario in which only the person who warned Mediapart discovered the flaw, it is possible that malicious people had access to it. To rule out this possibility, Francetest should have technical evidence available. ” On tools like WordPress, logs [historique de toutes les interactions avec le site, ndlr] are enabled by default, and they will record all actions performed », Recalls Adrien Jeanneau. The owner of Francetest can therefore – in theory – go up the logs to identify possible intrusions. Each log indicates the time of the connection and the IP address [un type d’identifiant pour les machines] where it comes from. The company can analyze these logs: if it sees an unknown IP address, this would be the sign of a connection by an external device.
Francetest nonetheless takes precautions in its press release: its conclusions are worth ” for the moment ” Where ” nowadays “. The flaw revealed by Mediapart could be open since the commissioning of the site, or about two months.
The incident would be closed
But even before worrying about the publicly exposed data, Francetest will have to make sure that no malicious actor has connected to its back office, the technical back office of the site. The password to access it was actually displayed in clear text on the index: it was almost as easy to retrieve as patient data. A malicious actor could have used it to install a backdoor on the company’s server and continue to collect patient information, even as the leak was sealed. Faced with this risk, the consultation of a cybersecurity expert by Francetest is good news, and it seems reassuring.
The company says it has escaped bad scenarios, since it concludes that ” To date and at this time, Francetest has every reason to consider that this incident is technically closed. The next few days will reveal whether this observation is hasty or not.