The eGovPH Android app, designed to streamline government services for citizens, has been identified with a hardcoded secret key embedded within its code. This secret is used for authenticating to a thirdparty API (UploadCare) where Users’ Identification Documents are uploaded.
Such hardcoded keys pose security risks, exposing sensitive user data to unauthorized actors.
The use of hardcoded secret keys in applications is discouraged within secure coding practices. In safeguarding user data entrusted to government apps like eGovPH, stringent security protocols are crucial to maintain user trust and uphold the integrity and confidentiality of sensitive information.
Timeline:
- November 5, 2023 - Vulnerability Reported
- November 13, 2023 - DICT released a new version of the App addressing the vulnerability.
- December 22, 2023 - Public Disclosure
I commend the DICT for swiftly addressing the vulnerability, and I extend appreciation to Mr. Rodel Plasabas for assisting in the responsible disclosure of the vulnerability to the DICT.