The Ehteraz app (contact tracing app) launched by Qatar during the COVID-19 pandemic
had a massive vulnerability that could have allowed hackers to access data of users. Due
to the urgency required for the release of the app, security was not kept as one of the top
priorities even though it was an app that required a lot of sensitive user data. Thankfully, no
attackers had exploited this vulnerability by the time it was found, however, when the party
responsible for discovering this bug found it, they were able to access sensitive information
such as a person’s name and GPS location.
The vulnerability was detected by Amnesty International 5 days after the app’s official
launch, and then quickly patched within one day. Amnesty was doing a larger analysis of all
contact tracing apps across the world and to see if they were human rights compliant, and
so coincidentally discovering this vulnerability.
A group of hackers with the alias, Syrian Electronic Army (SEA), infiltrated the domain registrar
of Qatar in 2013, where all the major websites hosted in Qatar, such as google.com.qa, local Facebook
server, and almost all ministry websites, were taken down, providing an error saying, ‘CPU limit
reached’. This hack made many services available in Qatar to become temporarily stalled. The attackers
accessed these domains by gaining administrative access to the registry.qa portal and decrypting
passwords and corresponding emails to gain full control.
The SEA made it clear that they were responsible for this hack as they published a tweet saying,
“Qatar is #down” and thus alerting the authorities of this hack. Acting swiftly, all websites were
able to be recovered on the same day just a few hours after the attack. Thankfully, no financial losses
were confirmed and so the effect of the hack was mitigated quite a bit.