The damage to Jamaica’s reputation continues on Monday (February 22), as TechCrunch reports on a second security lapse in as many weeks associated with the JamCOVID19 app.

The data lapse, an exposed environment variables (.env) file, was picked up by an independent security researcher who told TechCrunch that the file was found in an open directory on the JamCOVID website.

“A security researcher told TechCrunch on Sunday that the Amber Group left a file on the JamCOVID website by mistake, which contained passwords that would have granted access to the backend systems, storage and databases running the JamCOVID site and app. The researcher asked not to be named for fear of legal repercussions from the Jamaican government,” TechCrunch reported.

Environment variables (.env) files, according to TechCrunch, are often used to “store private keys and passwords for third-party services that are necessary for cloud applications to run”.

On occasion, these .env files recklessly uploaded by mistake, but can be used to gain access to sensitive data or services that cloud applications rely on if found by malicious interests.

“The exposed environmental variables file was found in an open directory on the JamCOVID website. Although the JamCOVID domain appears to be on the Ministry of Health’s website, Amber Group controls and maintains the JamCOVID dashboard, app and website,” the article continued.

“The exposed file contained secret credentials for the Amazon Web Services databases and storage servers for JamCOVID. The file also contained a username and password to the SMS gateway used by JamCOVID to send text messages, and credentials for its email-sending server,” TechCrunch further reported.

Senior editor Zack Whittaker said that as with the previous exposé, TechCrunch immediately notified Amber Group CEO Dushyant Savadia of the online loophole, who “pulled the exposed file offline a short time later”.

Savadia did not comment or respond to suggestions to revoke and replace the keys.

The Ministry of National Security, particularly State Minister Matthew Samuda, also did not respond to requests for comment.