Opposition Leader Mark Golding has declared the credibility of the Government’s JamCOVID portal “totally shot”, just hours after American online media outlet TechCrunch revealed a second security lapse on the website used by travellers to the island to apply for authorisation to visit Jamaica.

Commenting on the latest embarrassing revelation Monday night, Golding said on Twitter: “So much for recent assurances….another major security flaw exposed! JA demands accountability. The Gov must publish its contract now. Is there a US$ fee per user for this ‘free’ portal? And who owns the data?”

Earlier in the day, TechCrunch, through security editor Zack Whittaker, reported that the data lapse, an exposed environment variables (.env) file, was picked up by an independent security researcher who told the technology specialist media organisation that the file was found in an open directory on the JamCOVID website.

“A security researcher told TechCrunch on Sunday that the Amber Group left a file on the JamCOVID website by mistake, which contained passwords that would have granted access to the backend systems, storage and databases running the JamCOVID site and app. The researcher asked not to be named for fear of legal repercussions from the Jamaican government,” TechCrunch reported.

GOVERNMENT IN DAMAGE CONTROL MODE

The news came as the Government remained in damage control mode after TechCrunch reported last week on another security lapse it said resulted in immigration records and COVID-19 test results, of hundreds of thousands of travelers who visited the island over the past year, were left exposed.

In that case, TechCrunch said a cloud storage server storing the uploaded documents was left unprotected and without a password, and was “publicly spilling out files onto the open web”.

The Government, however, while acknowledging that there had been an issue with the portal and indicating it had been immediately fixed on discovery, would subsequently claim that the data of only 700 persons was affected and that they each been contacted on the matter.

Yesterday TechCrunch said the latest security lapse had also been addressed after the media outlet got in touch with the JamCOVID portal’s developer, Amber Group Ltd, through its founder and CEO Dushyant Savadia.

Savadia’s Amber Group, which had remained silent for days in the wake of last Wednesday’s disclosure of the first security lapse, stated in a release on Saturday that it “immediately and successfully” addressed the issue regarding the cloud server and that “a leading international cyber security provider has verified to the GOJ that there are no vulnerabilities that could lead to any form of data exposure or breach at the infrastructure”.

The Group added: “Amber’s preliminary investigation also confirms this, and we are confident this was a completely isolated occurrence.”

The Group also quoted Savadia as stating: “Amber’s data protection and security systems remain our highest priority in ensuring our compliance with international best practices that govern information security management.”

Savadia’s and Amber Group’s assurances came a day before TechCrunch says it was advised of the latest security lapse.

On Twitter, Shawn Wenzel, president of IT management consulting firm CaribTek, after examining a screenshot of the JamCOVID portal posted by Whittaker, said its architecture was fundamentally flawed.

“This flaw goes way beyond Amber Group forgetting to secure the S3 bucket. It seems security was just not a consideration at all,” he argued before outlining what he considered a number of issues.

“When we look at the timelines this shouldn’t be surprising: Amber reportedly threw this app together in 3 days. This just isn’t enough time to get the security right or to do proper in-house testing!”