by Paul Ducklin Mobile health app Babylon, which states its company mission as putting “an accessible and affordable health service in the hands of
Mobile health app Babylon, which states its company mission as putting “an accessible and affordable health service in the hands of every person on earth”, has admitted to a software bug that went one step further than that.
According to a BBC report, an app user in the UK ended up with other people’s health service data in his hands.
The user, named by the BBC as Rory Glover from Leeds in England, apparently used the app to check up on a prescription of his own, only to find that the “Consultation Replays” feature of the app contained a list of 50 videos for him to review.
As you can imagine, he went to check out what the videos were about – a screenshot shared by the BBC shows that they were identified only as “Replay N”, where N is a counter, so there was nothing to suggest that the data belonged to someone else.
Clicking on one of them made the nature of the unexpected videos clear: it was a recording of someone else’s video chat with a doctor made via the service.
Glover contacted someone he knew who used to work at Babylon, and that person did the right thing by alerting the company to the breach.
As far as we can tell, Babylon acted quickly to remove the rogue videos from Glover’s “Replays” gallery, as well as reporting itself to the Information Commissioner’s Office (ICO), the UK’s privacy and data protection authority.
Babylon doesn’t yet seem to have a statement about what happened on its own blog or website [2020-06-10T11:00Z], but is widely reported as saying that this “was the result of a software error rather than a malicious attack.”
That may sound like cold comfort but it does imply that we’re not looking at a situation where crooks made off with a bunch of video files that they could sell on or use for cyberextortion in the future.
The company also says that its investigations suggest that just three users in total (of whom Mr Glover was one) received links to other patients’ videos, and that the other two users never actually got round to looking at any of the videos they weren’t supposed to see.
We don’t yet know how many different patients’ videos were on the lists that were exposed, but Babylon has blamed the blunder on a “new feature” whereby someone talking to a doctor via the app can switch up to video mode during the call.
We don’t want to put too much thought into the reasons why, after talking through a patient’s symptoms, a doctor might want to switch to video mode – or what squeamish sights might end up being filmed in such a call.
Nevertheless, we’re relieved to hear that this problem seems to have been fixed quickly enough that only one video was viewed by the wrong person, so any real-world damage was very limited and swiftly contained.
We’re also relieved because the person who viewed the wrong video decided to do something positive by getting the issue reported, and because the person who reported it seems to have been able to make contact with Babylon quickly and effectively.
(We’re aware that the reporter used to work for Babylon, which probably made it easier to find the right person to talk to, but we also note that Babylon’s bug reporting pages are pretty easy to find by clicking on the Regulatory link on its home page.)
The big question, though, is how this data leakage bug got through software testing, and what Babylon will do to avoid this kind of bug getting out into the wild in future, given the ultra-personal nature of the data that was exposed.
What to do?
- If you’re a Babylon app user, there doesn’t seem to be anything you need to do – as far as we can tell, the problem was caused by a bug on the server side, meaning that fixing it could be handled centrally without an app update.
- If you’re a mobile app developer, don’t rely on the coding mantra from the early days of cloud development that said, “Move fast and break things.” That was never a good mantra for anyone; was never appropriate in fields like healthcare; and has long been set to one side. Security should never be an add-on component that you mix in later when you think your new software features are complete. (Without security baked in, they can never be complete.)
- If you’re a service provider, make sure there’s a clear process that your users can follow to report software bugs or privacy problems. If you can, consider running a bug bounty system that gives an incentive for professional bug hunters to look for and report possible problems in your product in a responsible way.