Earlier this week, Jake Bright of TechCrunch reported that certificate researcher Anurag Sen had found an exposed database belonging to LogBox, a southward African medical data app that allows patients to apportion info with their doctors more easily. According to TechCrunch’s report, the researcher had found an exposed database containing account access tokens for “thousands of LogBox users, which if used would grant full access to users accounts without requiring their password, Sen said.” Sen reportedly reached out to LogBox to responsibly disclose his findings, but they did not reply to him and would not resolve any of TechCrunch’s questions. It’s unfortunate that they did not respond to Sen’s responsible disclosure, as i think they missed an opportunity to find out if there was anything else he could recount them that might assist them. DataBreaches.net reached out to both the researcher and to LogBox to inquire more about the extent and sensitivity of any patient data. Sen responded to this site’s enquiry by stating that the tokens provided access to medical procedures of patients, prescriptions, and personal information. LogBox provided a very different answer, however. According to their spokesperson, the vulnerability, which was in the network firewall and not the application itself, first occurred in November, 2019 and affected only a survey spring introduced as portion of a new feature in late 2019. “Based on our forensic work to date, a maximum of 25,000 survey forms, predominantly relating to pilot or test data, were potentially exposed,” the spokesperson informed DataBreaches.net. “The open port enabled access to a separate and external database of traffic logs that were being used for usage-monitoring and technical sustenance purposes.” When asked to confirm whether any real patient data was accessible via the survey forms, the spokesperson responded: Yes. That said, please line that the data that was lost constituted network tokens, which could theoretically have been used to access the survey form for the 3 users, and only that survey forms contents. There is however, no evidence based on the forensic examination thus far, that the tokens were actually used to access the forms. Our panorama at present is accordingly that no actual patient data at all, was exposed. Rather, it was network traffic-related data. The firm says it is committed to ensuring that this incident, or something similar, does not recur, writing that they believe that the added security-related measures they have already taken, coupled with reinforcement from external specialists, should ensure that LogBox is safe to use. Quite aside from any other consideration, LogBox has proven to be a remarkably potent tool in improving clinical case collaboration, where multiple medical specialists are involved, treating gravely ill patients. We are committed to ensuring that it is not derailed by this incident, and the unfortunate manner in which it was reported by TechCrunch. That LogBox has developed a good reputation seems undeniable, and the site notes that it is “Approved by the Colleges of medicine South Africa.” But was TechCrunch’s reporting “unfortunate” in the sentiency of “inaccurate?” And is LogBox’s explanation consistent with the researcher’s findings? When contacted for a reception to LogBox’s claims, TechCrunch stated it is standing by its reporting. as part of this site’s attempt to resolve the conflicting claims by Sen and LogBox, DataBreaches.net obtained more information. To cut to the chase: that information provides reinforcement for TechCrunch’s reporting. More importantly, it is inconsistent with LogBox’s description of what was accessible. None of the limited data obtained by DataBreaches.net has anything to do with any survey forms. To the contrary, the data appears to be from the startup’s academic platform and perhaps one other platform. In addition to that conflicting data, DataBreaches.net also obtained evidence of a ransom note that was allegedly left on LogBox’s server. The following is the text of that ransom note, redacted by DataBreaches.net: The likelihood that data were actually exfiltrated or copied is slim to none (and more likely to be “none”). But if this ransom line was on that server, it seems top that at least ace crook entity — likely an automatic script — accessed LogBox’s database. This particular ransom note had been noted in other reports backrest in May – June, 2019, with earlier detections of “howtogetmydataback” noted in the wild in September, 2018. That said, it is not clear when this alleged snipe on LogBox occurred, or why it remained on their server. All told, it is important to recollect that what happened here demonstrated a vulnerability and not an actual data breach. And we all cognize how many misconfigured databases we’ve seen in the past 3+ years. But it is unfortunate that the startup did not take advantage of a whitehat researcher who tried to responsibly share with them what he had found. i would encourage LogBox to hit out to him to consider if he would still live willing to apportion his findings and recommendations with them so that they can live confident that they have fully addressed any vulnerabilities he may have found.