New York State fixes vulnerability in COVID-19 passport app that allowed storage of fake vaccine credentials
New York state has fixed an issue with the Excelsior Pass Wallet that allows users to acquire and store COVID-19 vaccine credentials.
The issue -- discovered by researchers at the NCC Group -- allows someone "to create and store fake vaccine credentials in their NYS Excelsior Pass Wallet that might allow them to gain access to physical spaces (such as businesses and event venues) where they would not be allowed without a vaccine credential, even when they have not received a COVID-19 vaccine."
The researchers found that the application did not validate vaccine credentials added to it, allowing forged credentials to be stored by users.
New York State was notified of the issue on April 30 but spent months ignoring messages from the NCC Group. It was only until the researchers contacted the NYS ITS Cyber command center in July that they got a response from the state about the problem.
A patch solving the issue was released on August 20. New York State officials did not respond to requests for comment from ZDNet.
Siddarth Adukia, technical director at NCC Group, told ZDNet that the widespread rollout of vaccine credential passport applications and their inherent security and privacy implications make them a natural area of interest for security research.
"At NCC Group, we've been looking into a number of these apps recently. We wanted to gauge the extent to which a user (or venue) should trust these systems, and how the privacy of someone using such systems would be affected," Adukia said.
"We started with the NYS Excelsior Pass applications as they were one of the first to roll out in the US, and we had consultants who live in New York State, including myself, who were personally vested in assuring the security and privacy of the system. We found the issue after threat modeling possible attack and abuse vectors against the application and the system in general."
Adukia said his team reverse-engineered the mobile application and intercepted network traffic, allowing them to examine the application for possible problems such as information leak, weak cryptography and other common application security issues.
Adukia explained that the application allows users to scan a QR code to add a credential to the wallet or add one through the device's photo gallery.
"The issue we found allowed fake credentials to be stored in the wallet. Both vectors allowed even non-technical users to scan a fake credential (created by themselves or via a website) and store it as a digital vaccine credential in the NYS Excelsior Wallet application," Adukia added.
"Users could then present the credential through the official app to venues and attempt to gain physical access. A lot of venues don't use the scanner app or ignore the verification results and trust the seemingly legitimate data on a user's device, allowing bypass of credential checking."
The current version of the app available in stores is not susceptible to this issue, Adukia noted. However, users who may not have updated to the latest version of the app can still upload forged vaccine credentials today.
In a technical advisory from NCC Group, researchers included screenshots of forged credentials that can be scanned by the Wallet app and added as a legitimate pass.
A screenshot of the fake credentials.
Adukia said NCC Group researchers are currently analyzing and discussing issues in other state-run COVID-19 apps and plan to follow the routine disclosure processes with any vendors.
Millions of people have found ways to acquire fake vaccine cards or other verifications allowing them to pretend they received one of the many free COVID-19 vaccines available in the US.
According to a report in August from Check Point Research, a variety of COVID-19 vaccine verifications are being sold at increasingly low prices on the dark web. Researchers found that prices for EU Digital COVID certificates as well as CDC and NHS COVID vaccine cards had fallen as low as $100.
Check Point Research's study found groups advertising the fake vaccine verifications in groups with more than 450,000 people. In March, a previous report from the company found that the price for fake vaccine passports was around $250 on the dark web and that advertisements for the scams were reaching new levels.
The researchers now can find fake certificates being sold from groups and people in the US, UK, Germany, Greece, Netherlands, Italy, France, Switzerland, Pakistan and Indonesia.
The spike in demand for fake vaccine passports and cards comes as hundreds of companies are forcing employees and customers to show evidence of COVID-19 vaccination before coming into offices or businesses.