User Controls

Posts by Biff Understudy

  1. Tech specs for New Zealand verifier app - https://nzcp.covid19.health.nz
    App - https://play.google.com/store/apps/details?id=nz.govt.health.covidpassverifier

    I've been looking at the tech specs for the last week. Even made an app to the specs in hopes to get a proper understanding of how it works. Private key(s) seems to be the only way, but then again I'm no expert at this stuff.

    The Ministry of Health is releasing the source code for the app on github soon. Fingers crossed there might be something to work with.

    On a side note(political sorry) - I'm kinda concerned that the NZ app is called "NZ Pass Verifier"(not "MyVaccine Pass Verifier") + the icon doesn't have anything vaccine related in it, which makes me wonder if the government is going to eventually transition it from "just a vaccine pass" into a general pass for everything.
  2. Originally posted by Sophie Do we have a copy of the 'validator' app that will be used to check the QR code certificates? Having a copy of the app users are supposed to have with the Qr code and everything, plus having a copy of the app meant for the people that will be checking for it's validity will be useful.

    I can set up an Android VM for instance, one for the user version one for the authentication version. I haven't really looked into it all that much but i'd like to perform some tests in a controlled environment.

    Definitely getting our hands on the validator app will be helpful. I'm guessing it will be publicly available on the play/apple store. It comes out at the end of the month in my country and I can't wait to see how it works. Kinda pissed because I'm pretty sure they had a public beta test that I missed out on.
  3. Originally posted by Donald Trump That's just a minimised Angular file

    Fine, I was trying to be cool be calling it "obfuscated"

    Originally posted by aldra yeah, just skimming over it it looks like form data and google tracking tags. for something like this client-side javascript isn't going to tell you much


    Setting "vaccineStatus" to "Y" in combination with "COVID_RECORD_INLINE_VIEW_URL" would help with making a forged certificate seem more legit. But yes, it's really lame and wouldn't help with QR code certs.
  4. Originally posted by aldra I might start digging into the Australian one later tonight

    Good luck.

    This is the file that has all the interesting javascript(obfuscated) https://www2.medicareaustralia.gov.au/moaonline/main-es2015.68519c0caf05b65442a4.js

    The certificates are generated server side now on the website version - not sure if the app still generates one on-the-fly though. Report back if you find anything :)
  5. Thanks - interesting stuff. I can't wait to see how my country does it. They will probably copy EU.
  6. Vaccine certificates(different from vaccine passports) are coming out next month in my country and I thought a thread would be good to discuss the various security measures implemented. I assume the international vaccine passports will be very secure, so I am more interested in local certificates.

    For instance, earlier versions of the Australian vaccine certificate were extremely insecure. They worked like so..
    - AJAX request to their server with a JSON response "vaccineStatus" : "Y" or "N"
    - This JSON value was stored to a local variable (I set a breakpoint in javascript and simply changed this)
    - Download immunisation history of user via AJAX request(PDF file - you could change this to a different file via javascript)
    - IF vaccineStatus == "Y", THEN generate vaccine certificate by reading details from immunisation history PDF file

    Others reported it was just as easy with a man-in-the-middle attack.

    How secure will the QR code certificates be? What data do they share? What are some possible security issues with them?
  7. Create a fake craiglist ad saying there is a deceased estate sale at their address. Make sure to say all items in the house are for sale and have it start nice and early on Saturday morning(5am). Also put something like "If the door is shut, feel free to let yourself in :)" or "The TV is FREE, first in first served :)"
  8. Did you pirate Windows 7? The CIA is known to mask their implants as svchost.exe - check this wikileaks source https://wikileaks.org/vault7/ and ctrl+f "svchost".

    Also the CIA has a contract with amazon cloud services - https://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/

    Congratulations, you're being spied on :)
  9. Some solid ideas...

    To all the haters; It's not about being too poor or being a lowly thief. It's about understanding the machine and how it works, working out ways to trick and deceive it and assert my dominance over it - it's a power thing.

    Help me dominate the checkout machine.
  10. Originally posted by rabbitweed Yeah, sort your fucking life out so that elaborate schemes to save a few dollars shopping for groceries aren't even worth your time.

    Elaborate schemes are fun though. Also the few dollars will be payment for making me work like a supermarket checkout person, scanning and packing my own groceries.
  11. How can we defeat these things? The supermarket near me had the scales turned off which made it really easy, but now that they are on it's hard.

    Do the scales check for the specific weight of the item or just detect if anything has been placed in the bag?

    One idea I have is this; Place a smaller hidden bag inside your normal shopping bag and have it so it is suspended on the metal bag holders above the scales. Pretend to scan the item (play a scanning beep sound from your phone?) then place it in the smaller hidden bag. The scales wont register anything as it will be suspended from the bag holder.

    Any other ideas?
Jump to Top