Exploiting AarogyaSetu & CoWIN APIs for auto vaccine booking bot — AarogyaBot?

Source: here
Source: here
Application is private and not distributed
I allowed the loop to go on even after successful booking
Confirmation SMS received after a sec.

Conclusion

What should’ve done

  1. Secret key should expire sooner than current duration and should have limited number of “query calls”
  2. Adding another verification factor in AarogyaSetu while booking appointment
  3. Tampering protection in Android application at runtime.

Do developers know?

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Do We Need Serverless Computing?

Why You Should Test Your Software

CFS Bandwidth Control-Warmup

How joining a coding bootcamp, going to meetups, and winning a Hackathon changed my life completely

kubeadm init: wait-control-pane timeout on Ubuntu 20.04

Automating Hadoop Services Using Ansible

Azure Policy Compliance Check With Azure DevOps

Don’t be “full stack”, be “full phase”

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhi Tripathi

Abhi Tripathi

More from Medium

CS373 Spring 2022: Audie Bethea

CS373 SPRING 2022: John Mackie

CS373 Spring 2022: Hrithik Ramganesh

CS373 Spring 2022: Christopher Carrasco — Week 2