Lodging a Complaint
Automated Decision-Making System/ License
We also take note of the absence of an automated decision-making system as stated in article 86 of law 81 that stresses the need for “an automated processing” system, and the GDPR guidelines that emphasize the necessity of “the existence of an automated decision-making system, including information about how this system has been set up, the significance, and the consequences.”
After conducting a security analysis of IMPACT’s covax.moph.gov.lb and covid.pcm.gov.lb, we found no major security threats on the websites, but there remain some vulnerabilities that need to be addressed immediately .
Covax.moph.gov.lb tech analysis
Note: The same analysis applies to IMPACT’s Covid.pcm.gov.lb platform since the code and servers are the same, whereas the User Interface (UI) and the web services are different.
Servers in Germany
IMPACT’s sub-platform for vaccine registration uses a German IP, with the main web-server located in Germany, at Leaseweb Deutschland GmbH Cloudstack Premium. The latter indicates that the hosting is based on Cloud technologies. Due to the nature of the data being collected at the Covax platform, a clarification from MoPH and IMPACT is required to understand where users’ data are stored. If it’s stored in Germany, this issue must be addressed to ensure Lebanese citizens’ data is protected and stored privately.
Not the best SSL encryption
On another note, Covax does not use the best technology available for Secure Sockets Layer (SSL) encryption, a protocol that ensures the security of communications over a computer network. SSL on Covax supports older versions of Transport Layer Security (TLS), TLS1.2, TLS1.0 and TLS1.1, which indicates that a potential TLS downgrade attack is possible.
The TLS protocol is used to encrypt communication between users and the servers, who are in this case the Lebanese citizens and the Covax platform. The latest TLS protocol is used only if the client (Chrome/Android/Iphone etc.) and the server support it. If both entities support a secure, not a vulnerable TLS protocol version in the communication, then it’s impossible to execute a man-in-the-middle attack (MITM), when the attacker secretly compromises the communications between two parties (mainly server and client devices). The TLS downgrade attack can trick the client device to use an older TLS vulnerable version for encrypting the information in transit. The attacker then tries to intercept the information and exploit flaws in the older protocol version or weak cryptographic algorithms. IMPACT stated that they are using these TLS versions for backward compatibility for older versions of browsers and devices with no support for the new TLS protocols.
Covax should address this issue by ending support to vulnerable TLS versions including TLS1.0 and TLS1.1
Potential Clickjacking attacks
We discovered that the Covax platform might be a target for Clickjacking attacks because of the lack of security parameters on the server side. Clickjacking is an interface-based attack (the webview on the user’s side) in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a malicious website.
The risk is low but clickjacking potential attack means facilitation for phishing attacks. This kind of risk is informational in the meaning of time.
Shared Web Service
Lastly, Covax platform also provides a web service based on Jetty service. This service is probably accessible to other governmental entities and can be used to retrieve information or access the data available on the Covax platform. We identified the version of Jetty to be Jetty 9.4.36.v20210114. It’s severity is medium but could potentially lead to an important impact on the Covax platform. When Jetty handles a request containing multiple Accept headers (specially cracked) with a large number of specific parameters, the server may enter a Denial of Service (DoS) state due to high CPU used processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
We are ready to help with new apps and websites looking to fortify their privacy and security, and we will – in partnership with Friedrich Naumann Foundation (FNF) in Lebanon and Syria – expand our work on serving as a watchdog over citizens’ digital data on Lebanon’s government platforms.