Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security

A Security Bug in Health App Docket Exposed COVID-19 Vaccine Records (techcrunch.com) 49

A security bug in the health app Docket exposed the private information of residents vaccinated against COVID-19 in New Jersey and Utah, where the app received endorsements from state officials. From a report: Docket lets residents download and carry a digital copy of their immunizations by pulling their vaccination records from their state's health authority. The digital copy has the same information as the COVID-19 paper card, but is digitally signed by the state to prevent forgeries. Docket is one of several so-called vaccine passports in the U.S., allowing residents to show their vaccination records -- or a scannable QR code -- for getting into events, restaurants or crossing into countries where vaccines are required.

But for a time, the app allowed anyone access to the QR codes of other vaccinated users -- and all the personal and vaccine information encoded within. That included names, dates of birth and information about a person's COVID-19 vaccination status, such as which type of vaccine they received and when. TechCrunch discovered the bug on Tuesday and immediately contacted the company. Docket chief executive Michael Perretta said the bug was fixed at the server level a few hours later. The bug was found in how the Docket app requests the user's QR code from its servers. The user's QR code is generated on the server in the form of a SMART Health Card, a widely accepted standard for validating a person's vaccination status across the world. That QR code is tied to a user ID, which isn't visible from the app, but can be viewed by looking at its network traffic using off-the-shelf software like Burp Suite or Charles Proxy.

This discussion has been archived. No new comments can be posted.

A Security Bug in Health App Docket Exposed COVID-19 Vaccine Records

Comments Filter:
  • That rushed (yeah, rushed *and* half-assed) digital passport software running on consumer-grade phones and slapped-together backends would have bugs and security flaws?

    So let's make it mandatory!

    Just one of the many moral, practical, and epidemiological objections I have to vaccine passports.

    • by cayenne8 ( 626475 ) on Thursday October 28, 2021 @09:43AM (#61935495) Homepage Journal
      Hell, I refuse to keep ANY type of digital wallet of documents like this on my phone, etc.

      No, I don't want my drivers license on here either....I don't want to be handing my phone over to officials for verification of anything, especially if the phone has to be open for that info.

      That's just a bad start to consenting to search of everything at the very least.

      So, are there places in the US that are actually requiring covid vaccination "passports"?

      What states/cities are doing this? I know a lot are offered in several places, but are they being actively required for normal life or admittance to venues?

      If so, where?

      • by ArchieBunker ( 132337 ) on Thursday October 28, 2021 @09:52AM (#61935515)

        So, are there places in the US that are actually requiring covid vaccination "passports"?

        Mostly restaurants and concert venues, which they are perfectly within their rights to do.

        • Mostly restaurants and concert venues, which they are perfectly within their rights to do.

          But where? That was my main questions, I'm curious what states/cities are requiring things like this?

          What do people that don't have or can't afford smart phones do for entry?

          And with this..where does it stop?

          Will we add things like hepatitis status to this too?

          • Nyc, Los Angeles and the Bay Area mandate it.

            Other places private businesses do it without mandates. There are some restaurants and theaters in the Boston area that have been doing it for a few months.

            I'll remember who they are. Will never patronize them. Ever.

          • But where? That was my main questions, I'm curious what states/cities are requiring things like this?

            This has nothing to do with the cities and states. It's whoever owns the venue or restaurant wanting a vaccine record or negative test. Why do you keep trying to play the oppression card here?

            • This has nothing to do with the cities and states. It's whoever owns the venue or restaurant wanting a vaccine record or negative test. Why do you keep trying to play the oppression card here?

              It does here in Canada. Most provinces are requiring restaurants and sports venues to check your vaccine status. Businesses that fail to do so face steep fines. I believe some European countries like France are also like this.

            • ArchieBunghole,
              You are full of shit! King county Washington, the county that holds Seattle, requires proof of mRNA injection to go into most places. (restaurants, gyms, theaters, etc). In California there are already at least 2 In and Out Burger(s) being shut down for not being the injection police. Do you just not read the news? Are you that out of touch but willing to make statements to the contrary?

              I also see further down in your bull shit reply to other people that if it is private property people can d

            • Well, it is a form of discrimination...

              And if you are vaccinated, why do you feel the need to be "protected" from the unvaccinated?

          • What do people that don't have or can't afford smart phones do for entry?

            And with this..where does it stop?

            Will we add things like hepatitis status to this too?

            They show the handy little card with your vaccines dates and batch numbers that was totally free. You don't have any constitutional rights to eat at Applebees or attend a concert. This is not a "papers please" situation.

            • You don't have any constitutional rights to eat at Applebees or attend a concert.

              I do have a constitutional right to decline to present my personal records to anyone who isn't a cop with a legitimate search warrant.

              I also have a right to freedom of association. If Applebee's wants my business and wants my vax card, then there is no mutual agreement there. But if it's the government telling Applebees that that they must demand my vax card, then yeah it is a papers please situation.

              And if the government requires it indirectly, like by threatening mass business closures again without expli

              • Vaccine mandates are upheld by the Supreme Court. https://www.politico.com/news/... [politico.com]

                • A vaccine mandate and a vaccine passport for everyday activities are not the same thing.

                  • by Pascoea ( 968200 )
                    So how do you square the two? If vaccine mandates are legal, how do you propose handling it? There has to be a middle ground between the honor system and a national registry. Having a piece of paper right next to your government issued drivers license and social security card seems like a good happy medium. (Yes, I'm aware you're not supposed to carry your SS card in your wallet)

                    I do have a constitutional right to decline to present my personal records to anyone who isn't a cop with a legitimate search warrant.

                    Do you get pissy when the bartender demands your ID before they serve you a beer? You absolutely have the right to refuse t

                    • I don't have to drink beer; I do have to eat food.

                      There have been many cases of practicing physicians making a public show of denying treatment to people who aren't vaccinated against covid. I'm not aware of any cases where this is a hospital policy, but if it becomes one and I land in the emergency room for something without my vax card on me...am I up the creek?

                      I don't need to go to the gym, but I might need to be seen by a physician.

                      Emergency rooms do check your insurance card, but if you don't have one

                    • When a barman demands your ID, that isn't for the purposes of recording your name and address and details of your medical history, merely to verify your age. But because the code contains all kinds of data about you, even though it is meant as a verification, it is actually a license to harvest personal details.

                • Vaccine mandates are upheld by the Supreme Court. https://www.politico.com/news/ [politico.com]... [politico.com]

                  That's a vaccine mandate, on the state level.

                  That is not the same as having to carry around "paper" and present proof of such for admittance to places or the ability to participate in every day activities.

              • by bws111 ( 1216812 )

                Ever been to a bar? They routinely make you show 'your papers', as mandated by the government. Oh, the horror!

                • Okay. Let's s/bar|gym|restaurant|theater/library/

                  Is it okay for the government to demand to see your papers in order to go to the library, and deny you entry based on your beliefs, which require that you not present your papers and not participate in these epidemiology theater games?

                • Ever been to a bar? They routinely make you show 'your papers', as mandated by the government. Oh, the horror!

                  Wow...I can't remember the last time I was carded at a bar.

                  I guess I haven't looked underage in a long time.

          • by Pascoea ( 968200 )
            I live in Minneapolis, while not mandated (that I'm aware of), there are some venues that are requiring proof of vaccination or negative test to enter an event.

            What do people that don't have or can't afford smart phones do for entry?

            Paper vaccine proof will still suffice.

            And with this..where does it stop?

            Like every other "where do you draw the line?" question, the answer is always "Somewhere." You have to draw the line somewhere. Right now that line is at "COVID", and will be adjusted based on fear and (hopefully) science. I'm not saying whether I agree or disagree with where the current line is, I'm just poi

        • by hduff ( 570443 )

          So, are there places in the US that are actually requiring covid vaccination "passports"?

          Mostly restaurants and concert venues, which they are perfectly within their rights to do.

          You seem to be too reasonable to be on social media . . .

        • the Nazis had pieces of flair that they made the Jews wear.

      • I take issue with this:

        > The user's QR code is generated on the server in the form of a SMART Health Card, a widely accepted standard for validating a person's vaccination status across the world.

        This standard dictates all kinds of PII is available to anybody who has a reader: name, address, date of birth, vaccination types, vaccination dates and more besides..

        A restaurant I might want to go to has no business knowing any of that. All they need is a verification of a vaccination (and that it is still con

    • How can I gain advantage over you by knowing your vaccination status? What harm could I cause to you by knowing that you've been vaccinated?

      • I'm vaxxed. There, I said it. You have no power over me knowing that.

        But if you can find a way to disrupt the digital mechanism by which I prove it to other parties (assuming they don't take my word for it and require government-sanctioned verification mechanisms), whether by flooding the field with fake credentials or dosing the app on my phone, or manipulating the database I would use to set up my app...then you can harm me quite easily in the same way you could if you hacked into my bank or mortgage lend

      • With the QR code you don't just know my vaccination status. You also know my name, address, date of birth and a bunch of other stuff. What harm could you cause to me by knowing all that? Quite a lot.

After all is said and done, a hell of a lot more is said than done.

Working...