Manila City COVID-19 vaccination website vulnerable to data breach, a resident warns

MANILA, Philippines — The website of the Manila local government COVID-19 vaccine registration may be vulnerable to security breach, a Manila resident warned. 

Fernando Nicolei Esperida, a resident of Manila, posted on Facebook Thursday that the data showing residents' information are exposed without the need for authentication.

He filed a complaint regarding possible data privacy violations to the local government of Manila and forwarded it to the Department of Information Communication Technology.

Residents viewing their records on the website are required to input a one-time password (OTP) sent via text message to authenticate and verify those logging in. 

Esperida demonstrated a video on how he can access other accounts and how he can access his' without the need for OTP.

“It started when I noticed that the website is showing the one-time password in plain text meaning there is no sort of [any] encryption and can easily [be] viewed by anyone even without programming knowledge but this issue I found is already patched,” Esperida said.

He explained this security vulnerability can “lead to data breach” if the Manila local government will not fix this issue.

“This security vulnerability can lead to a data breach if they are not going to act on fixing this issue as soon as possible and for now there are no data breach reports yet. If this was breached, as announced by Manila Public Information Office, there are now 1,409,497 individuals registered on the website,” he warned. 

Esperida sent his full-disclosure report to Manila Mayor Francisco Moreno Domagoso and the Department of Information and Communications Technology - National Computer Emergency Response Team (DICT - NCERT). He is yet to receive a response on how to fix this technical issue. 

Esperida called for protection of the information of those who registered to avoid violations of the Data Privacy Act of 2012.

“This security vulnerability in manilacovid19vaccine.ph could allow a malicious user or attacker to harvest useful user data from the website like full name, birthday and address without having a one-time password from the registered mobile number,” he explained.

Esperida said he is willing to coordinate with the authorities and suggested “possible fix” to the local government to strengthen web security. 

“I am willing to coordinate with the Manila LGU and in my report I included their possible fix they can do to strengthen the security but it's been a month and only the DICT-NCERT responded to my email,” he said. — intern Christine Joyce Paras