The rollouts and usage of vaccine passports are proving problem-laden in many places around the world, wither on technical or ethical merit, or both (or lack thereof), and the newest member of this “club” is an app called Docket, that is the endorsed Covid vaccine app in US states of Utah and New Jersey. The Centers for Disease Control and Prevention (CDC) also approved the app.
But just last week, reports revealed that Docket was yet another app that had a security vulnerability. TechCrunch said it was responsible for identifying the bug and submitting a report, while the CEO of the company behind the app, Michael Perretta, then informed them the server level bug had been fixed.
However, he was last Tuesday unable to say if somebody had exploited the vulnerability, saying instead that server logs were being inspected for traces of malicious activity. And he said that while the authorities of the two states that trusted Docket to be good enough for their residents would be informed, he wasn’t clear if users would be notified as well.
At least in New Jersey, this seemed to satisfy the state’s Department of Health, who pretty much repeated Perretta’s statement through a spokesperson, adding the unavoidable platitude of, “the privacy and security of Docket users remaining paramount.” The reaction was much the same in Utah.
What was happening prior was an undetected vulnerability compromising the integrity of QR codes – that contain information such as users name, date of birth, Covid vaccination status, date of vaccination, and the vaccine they received. And this information was stored, as it turns out, insecurely on Docket servers for an unspecified amount of time, letting anyone access and request any of other Docket users’ QR codes.
The makers of the app reportedly didn’t make sure that their servers were authenticating requests for QR codes – although this is possible with run of the mill and readily available software paired with QR codes generated by the SMART Health Card standard, that is being increasingly adopted around the world.
Docket previously said on Twitter it had a million users. That tweet is now gone.
The post Another day, another vaccine passport app caught exposing sensitive medical records of its users to the world appeared first on Reclaim The Net.
Reclaim The Net is a free speech and online privacy organization that defends our individual liberty by pushing back against big tech and media gatekeepers. Much of their work focuses on exposing digital tyrants and promoting free speech and privacy-friendly alternative online services. Visit reclaimthenet.org