Manila City COVID-19 vaccination website vulnerable to data breach, a resident warns

Manila City COVID-19 vaccination website vulnerable to data breach, a resident warns
Individuals wait in line as early as 5 a.m. for the start of the vaccine roll out program of the local government for people under the A4 priority group at the SM City Manila on June 8, 2021.
The STAR / Miguel de Guzman

MANILA, Philippines — The website of the Manila local government COVID-19 vaccine registration may be vulnerable to security breach, a Manila resident warned. 

Fernando Nicolei Esperida, a resident of Manila, posted on Facebook Thursday that the data showing residents' information are exposed without the need for authentication.

He filed a complaint regarding possible data privacy violations to the local government of Manila and forwarded it to the Department of Information Communication Technology.

Residents viewing their records on the website are required to input a one-time password (OTP) sent via text message to authenticate and verify those logging in. 

Esperida demonstrated a video on how he can access other accounts and how he can access his' without the need for OTP.

“It started when I noticed that the website is showing the one-time password in plain text meaning there is no sort of [any] encryption and can easily [be] viewed by anyone even without programming knowledge but this issue I found is already patched,” Esperida said.

He explained this security vulnerability can “lead to data breach” if the Manila local government will not fix this issue.

“This security vulnerability can lead to a data breach if they are not going to act on fixing this issue as soon as possible and for now there are no data breach reports yet. If this was breached, as announced by Manila Public Information Office, there are now 1,409,497 individuals registered on the website,” he warned. 

Esperida sent his full-disclosure report to Manila Mayor Francisco Moreno Domagoso and the Department of Information and Communications Technology - National Computer Emergency Response Team (DICT - NCERT). He is yet to receive a response on how to fix this technical issue. 

Esperida called for protection of the information of those who registered to avoid violations of the Data Privacy Act of 2012.

“This security vulnerability in manilacovid19vaccine.ph could allow a malicious user or attacker to harvest useful user data from the website like full name, birthday and address without having a one-time password from the registered mobile number,” he explained.

Esperida said he is willing to coordinate with the authorities and suggested “possible fix” to the local government to strengthen web security. 

“I am willing to coordinate with the Manila LGU and in my report I included their possible fix they can do to strengthen the security but it's been a month and only the DICT-NCERT responded to my email,” he said. — intern Christine Joyce Paras


  • Latest
  • Trending
Are you sure you want to log out?

Philstar.com is one of the most vibrant, opinionated, discerning communities of readers on cyberspace. With your meaningful insights, help shape the stories that can shape the country. Sign up now!

or sign in with