New York state has fixed an issue with the Excelsior Pass Wallet that allows users to acquire and store COVID-19 vaccine credentials.
The issue — discovered by researchers at the NCC Group — allows someone “to create and store fake vaccine credentials in their NYS Excelsior Pass Wallet that might allow them to gain access to physical spaces (such as businesses and event venues) where they would not be allowed without a vaccine credential, even when they have not received a COVID-19 vaccine.”
The researchers found that the application did not validate vaccine credentials added to it, allowing forged credentials to be stored by users.
New York State was notified of the issue on April 30 but spent months ignoring messages from the NCC Group. It was only until the researchers contacted NYS ITS Cyber command center in July that they got a response from the state about the problem.
A patch solving the
The article New York State fixes vulnerability in COVID-19 passport app that allowed storage of fake vaccine credentials originally appeared on ZDNet.