Exploiting AarogyaSetu & CoWIN APIs for auto vaccine booking bot — AarogyaBot?

Source: here
Source: here
Application is private and not distributed
I allowed the loop to go on even after successful booking
Confirmation SMS received after a sec.


What should’ve done

  1. Secret key should expire sooner than current duration and should have limited number of “query calls”
  2. Adding another verification factor in AarogyaSetu while booking appointment
  3. Tampering protection in Android application at runtime.

Do developers know?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store