User Controls

Vaccine certificate security

  1. #1
    Vaccine certificates(different from vaccine passports) are coming out next month in my country and I thought a thread would be good to discuss the various security measures implemented. I assume the international vaccine passports will be very secure, so I am more interested in local certificates.

    For instance, earlier versions of the Australian vaccine certificate were extremely insecure. They worked like so..
    - AJAX request to their server with a JSON response "vaccineStatus" : "Y" or "N"
    - This JSON value was stored to a local variable (I set a breakpoint in javascript and simply changed this)
    - Download immunisation history of user via AJAX request(PDF file - you could change this to a different file via javascript)
    - IF vaccineStatus == "Y", THEN generate vaccine certificate by reading details from immunisation history PDF file

    Others reported it was just as easy with a man-in-the-middle attack.

    How secure will the QR code certificates be? What data do they share? What are some possible security issues with them?
  2. #2
    Originally posted by Biff Understudy Vaccine certificates(different from vaccine passports) are coming out next month in my country and I thought a thread would be good to discuss the various security measures implemented. I assume the international vaccine passports will be very secure, so I am more interested in local certificates.

    For instance, earlier versions of the Australian vaccine certificate were extremely insecure. They worked like so..
    - AJAX request to their server with a JSON response "vaccineStatus" : "Y" or "N"
    - This JSON value was stored to a local variable (I set a breakpoint in javascript and simply changed this)
    - Download immunisation history of user via AJAX request(PDF file - you could change this to a different file via javascript)
    - IF vaccineStatus == "Y", THEN generate vaccine certificate by reading details from immunisation history PDF file

    Others reported it was just as easy with a man-in-the-middle attack.

    How secure will the QR code certificates be? What data do they share? What are some possible security issues with them?

    The EU ones are signed with a private key. That makes them fairly secure when used with any EU vaccine passport validator app. There is some talk about some private keys either having been leaked or brute-forced, and there is a valid cert going around for Adolf Hitler, but it's perfectly possible some pharmacist or doctor created that just for the lulz.

    Example code is at:
    https://github.com/nofaceinbook/hc1_test_cert
    https://github.com/cn-uofbasel/ch-dcc-keys
    https://github.com/minvws/nl-covid19-coronacheck-provider-docs/tree/main/signing-demo

    Info on the possible leak:
    https://github.com/ehn-dcc-development/hcert-spec/issues/103
    https://rfmirror.com/Thread-TRADING-make-EU-green-pass?page=1
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. #3
    Thanks - interesting stuff. I can't wait to see how my country does it. They will probably copy EU.
  4. #4
    aldra JIDF Controlled Opposition
    I might start digging into the Australian one later tonight
  5. #5
    Originally posted by aldra I might start digging into the Australian one later tonight

    Good luck.

    This is the file that has all the interesting javascript(obfuscated) https://www2.medicareaustralia.gov.au/moaonline/main-es2015.68519c0caf05b65442a4.js

    The certificates are generated server side now on the website version - not sure if the app still generates one on-the-fly though. Report back if you find anything :)
  6. #6
    Technologist victim of incest
    If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.

    You aren’t man enough to get a shot, man up and be honest about it pussies!
  7. #7
    A College Professor victim of incest [your moreover breastless limestone]
    Originally posted by Technologist If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.

    You aren’t man enough to get a shot, man up and be honest about it pussies!

    hey come on no trolling ok
    The following users say it would be alright if the author of this post didn't die in a fire!
  8. #8
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    Originally posted by Technologist If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.

    You aren’t man enough to get a shot, man up and be honest about it pussies!

    i got the jab it's pretty cringe though I would never take that document outside and I lie and pretend I hate diapers and communists because it makes others upset

    there is a fucking magnet in my arm and now I shit 5 times a day ever since taking that GARBAGE last week and I am going for another one today by lying and saying it's my first

    i'll have two first dose vaccine papers and you can stick them both up your fuckiing ass, bitch. Fuck this fake covid flu and your fake vaccine that made me more sick in 2 years than I have been LIVING IN A FUCKING PANDEMIC, FUCK YOU
    The following users say it would be alright if the author of this post didn't die in a fire!
  9. #9
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    I would NEVER take this shit if It wasn't forced by the government on employers to require that shit. I can get hired TODAY anywhere but actually NO I CAN'T because I need to be fully vaxed

    thanks for ruining the economy you fucking bitch I wonder why this will never happen again

  10. #10
    A College Professor victim of incest [your moreover breastless limestone]
    wtf fuys why a shoe salesman can have a nic ehouse near santana row like that how is fair with whta i had to undergoe due to the tortuoruos treatment receivd due to the pain by crooked Raphael Luciano and his family who i cared for a lot even tho he and his daughter said NO we dont want you to care for us
    The following users say it would be alright if the author of this post didn't die in a fire!
  11. #11
    Originally posted by Biff Understudy This is the file that has all the interesting javascript(obfuscated) https://www2.medicareaustralia.gov.au/moaonline/main-es2015.68519c0caf05b65442a4.js

    That's just a minimised Angular file, it contains all the basic logic to run the web application. I doubt it has anything interesting in it.



    Originally posted by Technologist If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.

    You aren’t man enough to get a shot, man up and be honest about it pussies!

    "Just accept being a second class citizen white man. Accept being a legal outcast like a man! Be proud that society can legally shit on you. Real men like being cucks. Be happy to be treated like shit. Be proud of us being treated better than you."
    The following users say it would be alright if the author of this post didn't die in a fire!
  12. #12
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    the mobile covid vax van is like the rape van filled with FBI agents and 5g magnet juice

  13. #13
    Technologist victim of incest
    Originally posted by Donald Trump "Just accept being a second class citizen white man. Accept being a legal outcast like a man! Be proud that society can legally shit on you. Real men like being cucks. Be happy to be treated like shit. Be proud of us being treated better than you."

    Didn’t you get vaxxed ya cuck? You poor victim, I’m so sorry, cheer up dude🍔🌭🌮🌯🥙🥗🥪
  14. #14
    Originally posted by Technologist Didn’t you get vaxxed ya cuck? You poor victim, I’m so sorry, cheer up dude🍔🌭🌮🌯🥙🥗🥪

    I got vaxxed, and I have solidarity with those who choose not to get vaxxed.

    It's an elite tier position, you wouldn't understand.
  15. #15
    the man who put it in my hood Black Hole [miraculously counterclaim my golf]
    What they don't tell you is "you need to wait an entire month to get another vax" so as soon as your workplace fires you for not being vaxed you think OH YEAH I WILL GET VAXXED TOMORROW AND COME BACK MONDAY

    Nope. You gotta wait a month, goy and they are going to replace your anti vaxxer slow ass.

    Why do you have to wait 30 days between jabs? Nobody knows. Nothing bad will happen if you take two jabs at the same time, you won't be "fully vaxxed" but your gay little nazi paper card will have two checkboxes on it saying you are which is good enough

    and then you don't have to wait the 30 days

  16. #16
    aldra JIDF Controlled Opposition
    Originally posted by Donald Trump That's just a minimised Angular file, it contains all the basic logic to run the web application. I doubt it has anything interesting in it.

    yeah, just skimming over it it looks like form data and google tracking tags. for something like this client-side javascript isn't going to tell you much
  17. #17
    Originally posted by Donald Trump That's just a minimised Angular file

    Fine, I was trying to be cool be calling it "obfuscated"

    Originally posted by aldra yeah, just skimming over it it looks like form data and google tracking tags. for something like this client-side javascript isn't going to tell you much


    Setting "vaccineStatus" to "Y" in combination with "COVID_RECORD_INLINE_VIEW_URL" would help with making a forged certificate seem more legit. But yes, it's really lame and wouldn't help with QR code certs.
  18. #18
    Originally posted by Biff Understudy Fine, I was trying to be cool be calling it "obfuscated"

    Minimisation just means compressed so it can fit in less space so it transmits faster over the network. That's why spaces and line breaks are removed and variable names are turned into single letters. There is also a bunch of pre-processing involved in turning the Angular code into compatible Javascript (ECMA Script 2015 in this case).

    Obfuscation means made harder to understand, and minimisation is a valid obfuscation tactic.

    In case you don't know, you can format this file nicely inside Chrome, just open Dev Tools, then click on Sources, then the file, then pretty print.
  19. #19
    aldra JIDF Controlled Opposition
    I just used regex to add linebreaks to open/close braces
  20. #20
    Sophie Pedophile Tech Support
    Do we have a copy of the 'validator' app that will be used to check the QR code certificates? Having a copy of the app users are supposed to have with the Qr code and everything, plus having a copy of the app meant for the people that will be checking for it's validity will be useful.

    I can set up an Android VM for instance, one for the user version one for the authentication version. I haven't really looked into it all that much but i'd like to perform some tests in a controlled environment.
Jump to Top