In May 2020, Amnesty International’s Security Lab discovered a critical vulnerability
in Qatar’s mandatory COVID-19 contact tracing application, Ehteraz. The flaw allowed
any attacker to access the sensitive personal and health data of over one million users through
a predictable QID (Qatar ID) enumeration attack against the app’s API, which lacked
proper authentication controls.
The vulnerability was particularly alarming because Ehteraz was mandatory for all residents
of Qatar. Failure to install and activate the app was punishable by up to three years
imprisonment and a fine of QAR 200,000 ($55,000). Users had no choice but to submit their
data to a system with a fundamental security flaw. Qatar’s Ministry of Interior patched
the vulnerability within three days of Amnesty’s disclosure.
## Key Facts
- .**What:** Critical API vulnerability in Qatar's mandatory Ehteraz COVID tracing app.
- .**Who:** Over one million Qatar residents forced to use the app.
- .**Data Exposed:** Names, Qatar IDs, COVID health status, and GPS quarantine locations.
- .**Outcome:** Qatar patched the vulnerability within three days of Amnesty's disclosure.
## What Was Exposed
- .Full names and Qatar ID (QID) numbers for every registered user of the Ehteraz
application, encompassing Qatari citizens and foreign residents alike
- .COVID-19 health status classifications including infected, quarantined, suspected,
and clear designations linked to individual identity records
- .GPS-based quarantine location data revealing the precise physical location where
infected or quarantined individuals were isolating
- .Contact tracing interaction logs recording proximity events between users, revealing
social contact patterns and physical movements
- .Health facility visit records and test result data linked to individual QIDs
- .Phone numbers and device identifiers associated with each user account
The technical vulnerability was an Insecure Direct Object Reference (IDOR) flaw in the
Ehteraz API. Qatar ID numbers follow a predictable sequential format, and the API endpoint
that retrieved user data accepted QID numbers as input parameters without verifying that
the requesting user was authorized to access that particular record. An attacker could
simply enumerate QID numbers sequentially and retrieve the complete profile-including
health status and location data-for every person registered in the system.
The absence of API authentication meant that no login, token, or session validation was
required to query the endpoint. This is not a subtle vulnerability requiring sophisticated
exploitation-it is a fundamental design failure where the API trusted any incoming
request without verification. Automated scripts could have harvested the entire database
of over one million records in hours.
The mandatory nature of Ehteraz amplified the severity of the vulnerability exponentially.
Qatar’s population of approximately 2.8 million had no legal option to opt out of
the system. The government criminalized non-compliance: residents who failed to install
or activate the app faced up to three years in prison and a QAR 200,000 fine. By compelling
universal enrollment while failing to secure the underlying system, the government created
a situation where every person in Qatar was forced to submit their personal and health data
to a vulnerable platform.
The combination of health status data with GPS quarantine locations created particularly
dangerous exposure. An attacker could identify every COVID-positive individual in Qatar
by name, national ID number, and physical location. During the early months of the
pandemic, when COVID-19 carried intense social stigma, this data could have been weaponized
for discrimination, harassment, or even targeted physical attacks against infected
individuals. For migrant workers in labor camps-who constituted a significant
proportion of Qatar’s COVID cases-the exposure of infection status alongside
location data posed acute risks of employer retaliation and deportation.
Amnesty International’s analysis identified the Ehteraz vulnerability as part of a
broader pattern of COVID contact tracing applications across the MENA region that
prioritized rapid deployment over security. The organization evaluated 11 contact tracing
apps from around the world and rated Ehteraz among the most concerning, alongside
applications from Bahrain, Kuwait, and Norway, for centralized data collection, excessive
permissions, and inadequate security controls.
## Regulatory Analysis
Qatar’s Law No. 13 of 2016 on Personal Data Privacy Protection was in force at the
time of the Ehteraz vulnerability, creating a complex regulatory scenario where the
government was simultaneously the data controller that developed the app, the enforcement
authority responsible for data protection, and the entity that mandated universal
participation.
Article 3 of Law No. 13 requires that personal data be processed fairly and lawfully,
with appropriate security safeguards. The deployment of an API endpoint without
authentication controls constitutes a clear failure of the security safeguard requirement.
Article 7 mandates that data controllers implement “appropriate technical and
organizational measures” to protect personal data against unauthorized access. An
IDOR vulnerability that allows enumeration of the entire user database without any
authentication is the antithesis of appropriate technical measures.
Article 4 addresses the processing of sensitive personal data, which explicitly includes
health data. The processing of health information requires elevated protections beyond
those applied to ordinary personal data. The Ehteraz app collected and stored some of
the most sensitive health data imaginable-an individual’s infectious disease
status during an active pandemic-and protected it with effectively no access
controls. This represents a violation of both the letter and the spirit of Article 4.
The enforcement challenge is evident: when the data controller is a government ministry,
and the enforcement authority operates within the same governmental structure, the
independence necessary for effective regulatory action is compromised. Qatar’s
Ministry of Transport and Communications (MOTC), responsible for data protection
oversight, was unlikely to bring enforcement action against the Ministry of Interior,
which operated the Ehteraz platform. This structural conflict of interest highlights
the importance of independent data protection authorities with genuine autonomy from
the executive branch.
The three-day patch timeline, while commendable in its speed, raises questions about
the vulnerability disclosure process. Amnesty International reported the flaw directly
to the Qatari authorities, who responded quickly. However, there was no public
acknowledgment of the vulnerability, no notification to affected users, and no
assessment of whether the flaw had been exploited before discovery. Under a mature
data protection framework, users who were forced to submit their data to the platform
would have been entitled to know that their health data had been at risk.
## What Should Have Been Done
The Ehteraz vulnerability was entirely preventable with standard application security
practices. The most fundamental requirement was proper API authentication and
authorization. Every API endpoint that returns personal data must verify that the
requesting entity is authenticated (confirmed identity) and authorized (permitted to
access the specific record requested). OAuth 2.0 with JWT tokens, combined with
server-side authorization checks that validate the requesting user’s right to
access each specific record, would have eliminated the IDOR vulnerability entirely.
Rate limiting and anomaly detection on the API should have been implemented to detect
and block enumeration attempts. Sequential requests for QID-based lookups across
different user records is a clear indicator of malicious activity. API gateways with
rate limiting, request pattern analysis, and automated blocking of suspicious activity
would have detected an enumeration attack within minutes, even if the underlying
authorization vulnerability existed.
A security assessment program proportionate to the sensitivity of the data and the
mandatory nature of the application was essential. Before mandating that 2.8 million
people submit their health data to the platform, the government should have commissioned
independent penetration testing, code review, and architecture review by qualified
security firms. The IDOR vulnerability would have been identified immediately in any
competent security assessment-it is among the most common and well-understood
classes of API vulnerabilities, appearing prominently in the OWASP API Security Top 10.
Data minimization principles should have guided the app’s architecture from
inception. The centralized storage of health status, GPS location, and national ID in
a single queryable database created unnecessary risk. Decentralized contact tracing
architectures, such as the Apple/Google Exposure Notification framework, demonstrate
that effective contact tracing can be achieved while minimizing the personal data
collected and centrally stored. Qatar could have achieved its public health objectives
while significantly reducing the privacy risk to its population.
Transparency and independent oversight should have accompanied the mandatory
deployment. When a government compels universal participation in a data collection
system under threat of imprisonment, it assumes an extraordinary responsibility
to ensure that system’s security. Independent security audits with published
results, a privacy impact assessment, and an independent data protection officer
overseeing the project would have provided the accountability that the mandatory
nature of the application demanded.
The Ehteraz vulnerability demonstrates the acute risks created when governments
mandate participation in data collection systems without ensuring adequate security.
Over one million people were forced to submit their health data to a platform with
a fundamental authentication flaw-an IDOR vulnerability that any competent
security assessment would have identified. When compliance is compulsory, the duty
of care is absolute.