2021-10-28 at 9:28 AM UTC
Vaccine certificates(different from vaccine passports) are coming out next month in my country and I thought a thread would be good to discuss the various security measures implemented. I assume the international vaccine passports will be very secure, so I am more interested in local certificates.
For instance, earlier versions of the Australian vaccine certificate were extremely insecure. They worked like so..
- AJAX request to their server with a JSON response "vaccineStatus" : "Y" or "N"
- This JSON value was stored to a local variable (I set a breakpoint in javascript and simply changed this)
- Download immunisation history of user via AJAX request(PDF file - you could change this to a different file via javascript)
- IF vaccineStatus == "Y", THEN generate vaccine certificate by reading details from immunisation history PDF file
Others reported it was just as easy with a man-in-the-middle attack.
How secure will the QR code certificates be? What data do they share? What are some possible security issues with them?
2021-10-28 at 9:41 AM UTC
Originally posted by Biff Understudy
Vaccine certificates(different from vaccine passports) are coming out next month in my country and I thought a thread would be good to discuss the various security measures implemented. I assume the international vaccine passports will be very secure, so I am more interested in local certificates.
For instance, earlier versions of the Australian vaccine certificate were extremely insecure. They worked like so..
- AJAX request to their server with a JSON response "vaccineStatus" : "Y" or "N"
- This JSON value was stored to a local variable (I set a breakpoint in javascript and simply changed this)
- Download immunisation history of user via AJAX request(PDF file - you could change this to a different file via javascript)
- IF vaccineStatus == "Y", THEN generate vaccine certificate by reading details from immunisation history PDF file
Others reported it was just as easy with a man-in-the-middle attack.
How secure will the QR code certificates be? What data do they share? What are some possible security issues with them?
The EU ones are signed with a private key. That makes them fairly secure when used with any EU vaccine passport validator app. There is some talk about some private keys either having been leaked or brute-forced, and there is a valid cert going around for Adolf Hitler, but it's perfectly possible some pharmacist or doctor created that just for the lulz.
Example code is at:
https://github.com/nofaceinbook/hc1_test_certhttps://github.com/cn-uofbasel/ch-dcc-keyshttps://github.com/minvws/nl-covid19-coronacheck-provider-docs/tree/main/signing-demoInfo on the possible leak:
https://github.com/ehn-dcc-development/hcert-spec/issues/103https://rfmirror.com/Thread-TRADING-make-EU-green-pass?page=1
The following users say it would be alright if the author of this
post didn't die in a fire!
2021-10-29 at 5:54 AM UTC
Thanks - interesting stuff. I can't wait to see how my country does it. They will probably copy EU.
2021-10-29 at 5:55 AM UTC
aldra
JIDF Controlled Opposition
I might start digging into the Australian one later tonight
2021-10-29 at 9:56 AM UTC
If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.
You aren’t man enough to get a shot, man up and be honest about it pussies!
2021-10-29 at 10:01 AM UTC
Originally posted by Technologist
If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.
You aren’t man enough to get a shot, man up and be honest about it pussies!
hey come on no trolling ok
The following users say it would be alright if the author of this
post didn't die in a fire!
2021-10-29 at 10:59 AM UTC
Originally posted by Technologist
If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.
You aren’t man enough to get a shot, man up and be honest about it pussies!
i got the jab it's pretty cringe though I would never take that document outside and I lie and pretend I hate diapers and communists because it makes others upset
there is a fucking magnet in my arm and now I shit 5 times a day ever since taking that GARBAGE last week and I am going for another one today by lying and saying it's my first
i'll have two first dose vaccine papers and you can stick them both up your fuckiing ass, bitch. Fuck this fake covid flu and your fake vaccine that made me more sick in 2 years than I have been LIVING IN A FUCKING PANDEMIC, FUCK YOU
The following users say it would be alright if the author of this
post didn't die in a fire!
2021-10-29 at 11:13 AM UTC
wtf fuys why a shoe salesman can have a nic ehouse near santana row like that how is fair with whta i had to undergoe due to the tortuoruos treatment receivd due to the pain by crooked Raphael Luciano and his family who i cared for a lot even tho he and his daughter said NO we dont want you to care for us
The following users say it would be alright if the author of this
post didn't die in a fire!
2021-10-29 at 11:19 AM UTC
Originally posted by Biff Understudy
This is the file that has all the interesting javascript(obfuscated) https://www2.medicareaustralia.gov.au/moaonline/main-es2015.68519c0caf05b65442a4.js
That's just a minimised Angular file, it contains all the basic logic to run the web application. I doubt it has anything interesting in it.
Originally posted by Technologist
If a person is going to be a pussy and not get the vaccine, then they should wear it like a badge of honor.
You aren’t man enough to get a shot, man up and be honest about it pussies!
"Just accept being a second class citizen white man. Accept being a legal outcast like a man! Be proud that society can legally shit on you. Real men like being cucks. Be happy to be treated like shit. Be proud of us being treated better than you."
The following users say it would be alright if the author of this
post didn't die in a fire!
2021-10-29 at 1:31 PM UTC
aldra
JIDF Controlled Opposition
I just used regex to add linebreaks to open/close braces
2021-11-01 at 4:49 PM UTC
Do we have a copy of the 'validator' app that will be used to check the QR code certificates? Having a copy of the app users are supposed to have with the Qr code and everything, plus having a copy of the app meant for the people that will be checking for it's validity will be useful.
I can set up an Android VM for instance, one for the user version one for the authentication version. I haven't really looked into it all that much but i'd like to perform some tests in a controlled environment.