Exploiting AarogyaSetu & CoWIN APIs for auto vaccine booking bot — AarogyaBot?
Disclaimer : This is not a “How to ” guide for automatic booking.
I was booking a vaccination appointment for my relative through AarogyaSetu Android application and I observed how quickly the slots were gone. So I decided to look inside the application and CoWIN portal and found some interesting things. Things that can be exploited, things that can be used to create Automatic Booking application or a simple script that’ll notify and schedule an appointment for you whenever slot is available.
No vital information is disclosed in this blog
Most of the information is conversed in high level.
If you’ve already heard the news
It’s somewhat true for public APIs. But private APIs are still working. Of course it’ll work they are using it in their official portals but problem with private APIs is we can’t use them as they require secret token, a key that’ll allow access to realtime data.
The secret token is encrypted with AES 256 and key is actually visible in source code which can be viewed by Browser’s Developer tools. This generated secret can also be grabbed easily through same tools. As per industry standard this secret is supposed to expire in some duration so even if someone knows the endpoints and secret they won’t be able to use it for longer durations a new secret will be required post expiration of current secret.
But that’s not the case with CoWIN. For me secret generated 3 days ago is still working. This renders Crypto encryption useless.
So here comes
Exploiter can easily write a script for Replay Attack.
Though the thing we are trying to achieve is not a “attack” but it’s a pretty good misuse.
CoWIN requires a captcha before scheduling appointment and that’s good actually without this a no human interaction automated booking script can be written. Scripts like this exist in Github as I’m writing this blog and they are using same techniques mentioned above but they require you to enter captcha. Still there’s some damage.
We can still see the available vaccination centres in realtime. So if we have the secret we can create a Mobile app which will poll with CoWIN’s private API in every 10 seconds and notify us in realtime. Here’s a pseudo algorithm
This will work in realtime and will give a head start to the user. This requires no human interaction all automated.
CoWIN Watch Dog Android application
So I created this small application for test purpose which will work in background and will notify when slot is available in realtime. And it worked basically misusing the official API.
That’s not the end of the story climax is on the way. When I was done with CoWIN I moved to AarogyaSetu Android application and as I was looking around I noticed AarogyaSetu doesn’t ask for any kind of captcha it’s a straight forward quick booking. Honestly, I was afraid and curious so I looked into it to see how it’s allowing to book an appointment without entering captcha.
I quickly decompiled the app and made some modifications to disable secure protocols so I can view working of app and as it turns out it was using different form of security. It basically uses 3 type of tokens. 1 of which expires in 24 hrs and 1 in 15–20 minutes this is basically AuthToken regenerated via OTP and 1 stays same this seems to be a UUID.
Golden key here is token which expires in 24 hours. As I’m already regenerating OTP and auto verifying it in my bot app I will have to update this Golden token manually after 24 hours.
Yes through patching AarogyaSetu app we can get these endpoints and secrets and create a bot application which requires no human interaction for booking appointment a “totally automated booking bot”.
Let’s see if we can achieve that
As application remains same as CoWIN watch dog we created before, it adds an additional process “Schedule appointment”. Application is merely a process it will run in background and requires no interaction with the user we’ve to look at application logs for process updates.
Unfortunately this worked and honestly I didn’t wanted it to work. But here we are. Hilariously API returned error code 500 after successful booking.
Though this is advance stuff and not everyone will be able to perform this but circulation of pre-made tool/apps like this is possible. Given the architecture of ArogyaSetu and CoWIN vs the behaviour and complexity usage of these tools I personally believe tools like this will not make sufficient impact to call it a disruption.
These findings cleared my personal doubt
“I observed how quickly the slots were gone”.
Slots were gone because people are actually staying online 24/7 on ArogyaSetu and CoWIN. There’s lot of efforts and high level of complexity and it’s really easy to stay online than configuring these tools.
So in conclusion all my experiments and tests shows that using this vulnerability an automated bot application or script can be created.
What should’ve done
- Secret key should expire sooner than current duration and should have limited number of “query calls”
- Adding another verification factor in AarogyaSetu while booking appointment
- Tampering protection in Android application at runtime.
Do developers know?
I’ve already reported all this to the developers in a detailed report and we should expect a fix anytime soon. It’s no body’s fault no one was prepared for a pandemic. Maintaining these things is not easy.
Thanks for reading