So 2 weeks ago I am having cough and cold and I am about to get vaccinated. So I though to get COVID tested before vaccination. Then I got to know that there is a covid-19 antigen test kit available by mylabdiscoverysolutions. Which provides an mobile app based antigen self-test kit. I got the kit from Flipkart and did my test and luckily got negative.

Endpoint holds data so disclosing the issue partially with redacted information.

So lets start,

The app provides a functionality where you have to create one account in Mylab Coviself mobile app and you can save and share your test result.

Under Reports section there is section called View Report

When I clicked the View Report one API called made to xxx.xxx.com with a parameter called patient_test_id

Where its displays the user's Name, address, age, phone number and the covid test result and user can down the report as pdf

So the patient_test_id parameter is vulnerable to IDOR , by replacing the value of patient_test_id I am able to see any user's data which includes name,address,age,Mobile number,gender, email(few email getting disclosed as it's a optional field during signup) and the COVID test result. Below are few result with redacted information

The attack is pretty straight forward by using burp suit intruder attacker can extract all user information

Till today (18th June) 40694 user done the antigen test and all information are publicly accessible.