New York State (NYS) has fixed an issue in the Excelsior Pass Wallet in a fight against fake COVID-19 vaccine credentials. According to the NCC Group researchers who discovered this issue, it allowed people to make and store fake vaccine creds in their NYS Excelsior Pass Wallet. By doing so, they could use these unauthentic credentials to gain access to event spaces and business conferences that accept only those people who have vaccine creds.
The issue stemmed from the fact that the the application failed to validate credentials which let the users to store forged certificates.
The NCC Group had alerted New York State about this ongoing issue on 30th April. However, the state ignored the report. The researchers then spoke to NYS ITS Cyber Command Center in July to finally receive a response.
On 20th August, NYS released a patch to solve the issue but did not respond to questions to comment from ZDNet.
According to NC Group’s technical director, Siddharth Adukia, the widespread application for vaccine credential passport rollouts and related security issues are interesting cases for security research.
“At NCC Group, we’ve been looking into a number of these apps recently. We wanted to gauge the extent to which a user (or venue) should trust these systems, and how the privacy of someone using such systems would be affected,” Adukia said.
He also said that NCC Group has been monitoring many similar apps and their issues with user privacy. It began with NYS Excelsior Pass apps as they were the first in the US.
After identifying a possible attack and abuse vectors against the general system and the application, they discovered the fake credentials issue. The team reverse-engineered the app, interrupted the network traffic to assess possible security issues like information leaks. According to Adukia, the app allowed users to scan a QR code.
The user used it to add credentials to the wallet or upload one from the device’s photo gallery. The security issue authorized fake credentials into the wallet.
“The issue we found allowed fake credentials to be stored in the wallet. Both vectors allowed even non-technical users to scan a fake credential (created by themselves or via a website) and store it as a digital vaccine credential in the NYS Excelsior Wallet application. Users could then present the credential through the official app to venues and attempt to gain physical access,” Adukia explained.