Amber Group has fixed a second vulnerability that exposed private keys and passwords for the JamCOVID app and government website.
A security researcher told TechCrunch Sunday that the Amber Group accidentally left a file on the JamCOVID website that contained passwords that would have given access to the backend systems, storage and databases on which the JamCOVID site was located and app is running. The researcher asked not to be named because of fears that the Jamaican government might have legal ramifications.
This file, known as the Environment Variables (.env) file, is widely used to store private keys and passwords for third-party services that are required to run cloud applications. However, sometimes these files are accidentally viewed or accidentally uploaded. However, they can be misused to gain access to data or services on which the cloud application relies if they are found by a malicious actor.
The exposed environment variable file was found in an open directory on the JamCOVID website. Although the JamCOVID …