In May 2020, Amnesty International’s Security Lab discovered a critical vulnerability in Qatar’s mandatory COVID-19 contact tracing application, Ehteraz. The flaw allowed any attacker to access the sensitive personal and health data of over one million users through a predictable QID (Qatar ID) enumeration attack against the app’s API, which lacked proper authentication controls.
Key Facts
- WhatCritical API vulnerability in Qatar's mandatory Ehteraz COVID tracing app.
- WhoOver one million Qatar residents forced to use the app.
- Data ExposedNames, Qatar IDs, COVID health status, and GPS quarantine locations.
- OutcomeQatar patched the vulnerability within three days of Amnesty's disclosure.
What Was Exposed
- Full names and Qatar ID (QID) numbers for every registered user of the Ehteraz application, encompassing Qatari citizens and foreign residents alike
- COVID-19 health status classifications including infected, quarantined, suspected, and clear designations linked to individual identity records
- GPS-based quarantine location data revealing the precise physical location where infected or quarantined individuals were isolating
- Contact tracing interaction logs recording proximity events between users, revealing social contact patterns and physical movements
- Health facility visit records and test result data linked to individual QIDs
- Phone numbers and device identifiers associated with each user account
The technical vulnerability was an Insecure Direct Object Reference (IDOR) flaw in the Ehteraz API. Qatar ID numbers follow a predictable sequential format, and the API endpoint that retrieved user data accepted QID numbers as input parameters without verifying that the requesting user was authorized to access that particular record. An attacker could simply enumerate QID numbers sequentially and retrieve the complete profile-including health status and location data-for every person registered in the system.
The absence of API authentication meant that no login, token, or session validation was required to query the endpoint. This is not a subtle vulnerability requiring sophisticated exploitation-it is a fundamental design failure where the API trusted any incoming request without verification. Automated scripts could have harvested the entire database of over one million records in hours.
The mandatory nature of Ehteraz amplified the severity of the vulnerability exponentially.
Qatar’s population of approximately 2.8 million had no legal option to opt out of the system. The government criminalized non-compliance: residents who failed to install or activate the app faced up to three years in prison and a QAR 200,000 fine. By compelling universal enrollment while failing to secure the underlying system, the government created a situation where every person in Qatar was forced to submit their personal and health data to a vulnerable platform.
The combination of health status data with GPS quarantine locations created particularly dangerous exposure. An attacker could identify every COVID-positive individual in Qatar by name, national ID number, and physical location. During the early months of the pandemic, when COVID-19 carried intense social stigma, this data could have been weaponized for discrimination, harassment, or even targeted physical attacks against infected individuals.
For migrant workers in labor camps-who constituted a significant proportion of Qatar’s COVID cases-the exposure of infection status alongside location data posed acute risks of employer retaliation and deportation.
Amnesty International’s analysis identified the Ehteraz vulnerability as part of a broader pattern of COVID contact tracing applications across the MENA region that prioritized rapid deployment over security. The organization evaluated 11 contact tracing apps from around the world and rated Ehteraz among the most concerning, alongside applications from Bahrain, Kuwait, and Norway, for centralized data collection, excessive permissions, and inadequate security controls.
Regulatory Analysis
Qatar’s Law No. 13 of 2016 on Personal Data Privacy Protection was in force at the time of the Ehteraz vulnerability, creating a complex regulatory scenario where the government was simultaneously the data controller that developed the app, the enforcement authority responsible for data protection, and the entity that mandated universal participation.
Article 3 of Law No. 13 requires that personal data be processed fairly and lawfully, with appropriate security safeguards. The deployment of an API endpoint without authentication controls constitutes a clear failure of the security safeguard requirement.
Article 7 mandates that data controllers implement “appropriate technical and organizational measures” to protect personal data against unauthorized access. An IDOR vulnerability that allows enumeration of the entire user database without any authentication is the antithesis of appropriate technical measures.
Article 4 addresses the processing of sensitive personal data, which explicitly includes health data. The processing of health information requires elevated protections beyond those applied to ordinary personal data. The Ehteraz app collected and stored some of the most sensitive health data imaginable-an individual’s infectious disease status during an active pandemic-and protected it with effectively no access controls. This represents a violation of both the letter and the spirit of Article 4.
The enforcement challenge is evident: when the data controller is a government ministry, and the enforcement authority operates within the same governmental structure, the independence necessary for effective regulatory action is compromised. Qatar’s Ministry of Transport and Communications (MOTC), responsible for data protection oversight, was unlikely to bring enforcement action against the Ministry of Interior, which operated the Ehteraz platform.
This structural conflict of interest highlights the importance of independent data protection authorities with genuine autonomy from the executive branch.
The three-day patch timeline, while commendable in its speed, raises questions about the vulnerability disclosure process. Amnesty International reported the flaw directly to the Qatari authorities, who responded quickly. However, there was no public acknowledgment of the vulnerability, no notification to affected users, and no assessment of whether the flaw had been exploited before discovery. Under a mature data protection framework, users who were forced to submit their data to the platform would have been entitled to know that their health data had been at risk.
What Should Have Been Done
The Ehteraz vulnerability was entirely preventable with standard application security practices. The most fundamental requirement was proper API authentication and authorization. Every API endpoint that returns personal data must verify that the requesting entity is authenticated (confirmed identity) and authorized (permitted to access the specific record requested). OAuth 2.0 with JWT tokens, combined with server-side authorization checks that validate the requesting user’s right to access each specific record, would have eliminated the IDOR vulnerability entirely.
Rate limiting and anomaly detection on the API should have been implemented to detect and block enumeration attempts. Sequential requests for QID-based lookups across different user records is a clear indicator of malicious activity. API gateways with rate limiting, request pattern analysis, and automated blocking of suspicious activity would have detected an enumeration attack within minutes, even if the underlying authorization vulnerability existed.
A security assessment program proportionate to the sensitivity of the data and the mandatory nature of the application was essential. Before mandating that 2.8 million people submit their health data to the platform, the government should have commissioned independent penetration testing, code review, and architecture review by qualified security firms. The IDOR vulnerability would have been identified immediately in any competent security assessment-it is among the most common and well-understood classes of API vulnerabilities, appearing prominently in the OWASP API Security Top 10.
Data minimization principles should have guided the app’s architecture from inception. The centralized storage of health status, GPS location, and national ID in a single queryable database created unnecessary risk. Decentralized contact tracing architectures, such as the Apple/Google Exposure Notification framework, demonstrate that effective contact tracing can be achieved while minimizing the personal data collected and centrally stored. Qatar could have achieved its public health objectives while significantly reducing the privacy risk to its population.
Transparency and independent oversight should have accompanied the mandatory deployment. When a government compels universal participation in a data collection system under threat of imprisonment, it assumes an extraordinary responsibility to ensure that system’s security. Independent security audits with published results, a privacy impact assessment, and an independent data protection officer overseeing the project would have provided the accountability that the mandatory nature of the application demanded.
The Ehteraz vulnerability demonstrates the acute risks created when governments mandate participation in data collection systems without ensuring adequate security.
Over one million people were forced to submit their health data to a platform with a fundamental authentication flaw-an IDOR vulnerability that any competent security assessment would have identified. When compliance is compulsory, the duty of care is absolute.