Vaccine passport app leaks users’ personal data

Security and privacy advocates may have cause to worry after all: Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time.

On Monday, Canadian Broadcasting Corporation (CBC) received a tip that “the user profiles on the app’s website could be accessed by members of the public.”

CBC won’t say how or where the data was found but does say it was unencrypted and could be viewed in plain text.

The data it found included email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver’s licences and passports.

portpass reveal 600x344 1
Some of the data found online (Source: CBC)

Portpass has a registered user base of 650,000 across Canada. CBC says that Portpass CEO Zakir Hussein denied the app had security issues and “accused those who raised concerns about it of breaking the law.”

CBC said Hussein repeatedly claimed the breach only lasted for minutes, even when CBC pointed out to him that it was able view the data for more than an hour. It’s unclear how long the data was exposed to the public.

“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” said Hussein, who seemed generally unsure of what to say. He was quoted as saying, “There’s holes, and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”

Portpass is easy to manipulate

Days before Portpass was notified of the breach, web developer Conrad Yeung tried Portpass out of curiosity. He said he quickly found an issue when he tried to upload not his photo ID but a photo of a random mayoral candidate in Calgary, Canada “just to see if the app would let me”.

Sure enough, Portpass allowed the upload. “It let me upload a random photo for my driver’s licence,” Yeung said.

He was able to create a fake vaccination record using an actor’s name, and Portpass verified this record to be legitimate.

Looking deeper, Yeung found that the website didn’t appear to validate security certificates, with a backend that the public can access. He also found discrepancies in Portpass’s marketing statements from what he was seeing. For example, the app claimed that it uses artificial intelligence (AI) and blockchain to verify records and keep them safe. However, Yeung said he didn’t see any traces of these at the site’s backend.

What worried Yeung more, he said, was that companies endorse the use of apps like Portpass without exercising due diligence. “You have somebody in a place of authority promoting something that is potentially unsafe and has privacy issues,” he said.

There is hesitancy in using vaccine passports

Vaccine passports—sometimes called COVID passports—are mobile apps that have been created to confirm the phone owner has received their COVID-19 vaccine. This, of course, opens doors for them to attend public events and visit other countries. While many think that this could lead to social problems like discrimination, there are also security and privacy risks, such as getting one’s data exposed. Such apps must be secure by design.

In the US, there is no government mandate on whether one should be using a vaccine app or not. But many private companies and airlines have started encouraging people to use these apps.

However, many users, especially in the US, have expressed concerns over the security of their health data when using such third-party apps. According to a survey conducted by cybersecuity firm, Panda Security, 56 percent of Americans do not trust vaccine passports. Those concerned question what type of information these apps would likely collect from them.

“Based on our survey results, we can clearly see the hesitancy many Americans have to make those records accessible to private companies, airlines and other corporations.” the report says.

I’m one of those afraid of using apps. What should I do?

Hold on to your vaccine cards and keep them safe all the time. Right now, this is your only true proof to let establishments know of your vaccine status. Don’t bring them with you every time you go out, as you would a credit card, especially when there is no need to verify your status.

A paper pass may not be the coolest thing to whip out as its not on your phone, but unless the government has endorsed an app everyone can use, you might want to rethink your plans of trying out one.

Stay safe!

The post Vaccine passport app leaks users’ personal data appeared first on Malwarebytes Labs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source