Threat Post -
Australian immunization app bug lets attackers fake vaccine status.
Three weeks after an independent researcher found a critical bug in the Services Australia COVID-19 digital vaccine certificate that would allow an attacker to falsify someone’s vaccine status, it still hasn’t been fixed.
Researcher Richard Nelson looked into the security behind a new digital vaccine passport app from the Australian government’s Express Plus Medicare program, which automatically pulls someone’s vaccine status from the Australian Immunization Register. Bars, restaurants and other businesses rely on vaccination proof like this to protect the public from the spread of COVID-19.
Nelson found the flaw and shared his findings publicly on Aug. 18:
This should not be anywhere near this easy to fool (I’m not vaccinated.. yet) pic.twitter.com/faTQws7XhX
— Richard Nelson (@wabzqem) August 18, 2021
Nelson tweeted his work because he was unable to get in touch with Services Australia, the organization which oversees the COVID-19 digital vaccine application, he explained.
“I did report it there in the hopes that someone might forward it on, but did not get a response until days later,” Nelson wrote. “I also eventually reported it via ReportCyber and ASD [Australian Signals Directorate] did forward it on