South Korea’s self-isolation app had security flaws that exposed names and locations of users

A government app used by South Korea to monitor at-home quarantines was found to contain a serious security flaw.

According to a report from The New York Times, the self-isolation app, which was a major component of the country’s plan to drastically reduce the number of cases effectively and quickly, exposed users’ names, phone numbers, medical symptoms, and their real-time location data.

Software engineer, Frédéric Rechtenstein, who lives in Seoul, came across the flaws after using the app during his own isolation period.

Rechtenstein found that the app was assigning users easily guessable ID numbers meaning that hackers could easily figure out a user’s credentials and use it to access their data. 

The app also used an insecure from of encryption that with a code written directly into the app. Additionally, that code followed a simple, easy-to-guess pattern which was ‘1234567890123456.’

With that access, hackers would have also been able to make it appear as though a user was breaking isolation rules by making unauthorized trips outside their homes. 

A new update has reportedly rectified the security flaws in the app, which has 162,000 downloads, and government officials have since apologized for the security lapse. 

A The oversight was a product of the speedy rollout according to government officials interviewed by The Times.

‘We were really in a hurry to make and deploy this app as quickly as possible to help slow down the spread of the virus,’ Jung Chan-hyun, an official at the Ministry of the Interior and Safety’s disaster response division told The Times. 

‘We could not afford a time-consuming security check on the app that would delay its deployment.’

There’s currently no evidence that the flaws were exploited according to The Times.