Thailand’s Covid-19 Vaccination Platform Dedicated to Foreigners Was Breached
Private Information Was Unprotected and Became Visible Online.
Last updated on August 3, 2021
Thailand is debuting its vaccination campaign for the foreigners with a new vaccine appointment registration site called expatvac.consular.go.th. The breached Covid-19 vaccination platform was developed with the collaboration of the Ministry of Public Health, the Department of Disease Control, and other consular affairs departments as well.
Unfortunately, the website’s functionality was not flawless from the get-go as it received mixed reviews, but even if many users did report a lot of issues, many people said that they received emails confirming their registration and upcoming appointments.
The Data Breach
The website was launched at 11 AM and within minutes people were reporting crashes and errors.
It was concerning to see that people’s private information was unprotected and visible online, as screenshots of publicly accessible backdoors were showing emails and personal details of more than 20,000 applicants.
Many users said the system failed at the stage where they submitted their email, and the website would crash or they would receive an error requiring them to start over or refresh the page, but when starting over the system did not accept the email address that was provided.
This happened because when the site crashed, the backend database had already saved the data input and, therefore considered the email address already used.
Some users suggested that using the same email address you gave immigration worked better. Amid the crashes, errors, site outages, and lots of tries, users did eventually make it through the process.
Even if the process could be considered tedious and having numerous problems, the officials managed to resolve quickly the issues and now registrations are going through, but the foreigners trying to access the website are advised to keep trying if they encounter errors as the vaccine site launches and becomes more stable.
This was not the first time when the vaccination campaign has encountered these types of digital issues as www.thailandintervac.com, was previously found to be revealing names, passport numbers, and resident provinces of people who registered on the website, as every time the page was refreshed, a different foreign national’s information would be revealed.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.