Exploiting AarogyaSetu & CoWIN APIs for auto vaccine booking bot — AarogyaBot?

Source: here
Source: here
Application is private and not distributed
I allowed the loop to go on even after successful booking
Confirmation SMS received after a sec.

Conclusion

What should’ve done

  1. Secret key should expire sooner than current duration and should have limited number of “query calls”
  2. Adding another verification factor in AarogyaSetu while booking appointment
  3. Tampering protection in Android application at runtime.

Do developers know?

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Can there be static imports in Java

Digital Goods Transaction of Actions on Google (Write Code and Test)

RSS and Ruby — It’s Really Simple

Free Pdf Editor For Mac Os X 10.4.11

Hololoot Public Beta

Skaffold: How to work with multiple configs in one file aka modules

Scala Type Hierarchy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhi Tripathi

Abhi Tripathi

More from Medium

CMU 15–112 Term Project: Mini Dimensional Traveler Game

Applications that are useful on a daily basis using a smartphone.

How to Pair Program Effectively

What will it Cost to Build a Taxi-Booking App?

What will it cost to build a taxi-booking app?