Researchers on Wednesday reported they found that New York state's NYS Excelsior Pass Wallet app designed for users to acquire and store a COVID-19 vaccine credential does not validate vaccine credentials as users add them to it, which would allow potentially unscrupulous users to store forged credentials.
But there’s good news: The NCC Group found the flaw and in an advisory post, the researchers said verification for the vaccine app was fixed and included in the Aug. 12, 2021, version of the Excelsior Pass app.
By creating and then storing fake vaccine credentials in an Excelsior Pass app, someone who has not been vaccinated could gain access to physical spaces such as businesses and event venues where they would not be allowed without a vaccine card. NCC researchers advise businesses and event venues that use the Excelsior Pass scanner to double-check that all credentials presented are successfully validated before allowing someone to enter a facility or venue.
The issue of people using fake vaccination cards has increased over the past several months, and New York Attorney General Letetia James issued an advisory in early August, calling falsifying a vaccine card a violation of both federal and state law in New York. As early as March of this year, the FBI issued an advisory and has frequently warned the public about the dangers of using fraudulent vaccination cards. Penalties for fraudulently using a CDC logo on a fake card reportedly could result in a sentence of up to five years in prison or a $5,000 fine.
"Ideally, apps shouldn't let users add credentials that don't pass a validation check performed on the app's backend servers,” said Ryan Kennedy, application security consultant at nVisium. Kennedy said in the context of the Excelsior Pass app, the Excelsior Pass scanner should function as a “source of truth” as end users may not always use the most up-to-date versions of an app.
“As a New York City resident, and a frequent user of the app, I'm glad to hear that security concerns are being addressed and that it's becoming increasingly difficult for bad actors to forge their vaccine status,” Kennedy said.
Jason Kent, hacker-in-residence at Cequence, added that unvalidated user input has caused issues with systems since the early days of computing.
“Often this causes a system hiccup that can be beneficial to attackers, but in this case unvalidated input seems to create a seemingly valid output,” Kent explained. “The purpose of this application is to prove one is vaccinated and it seems that accepting garbage in, creates a garbage out scenario. Given the importance of this type of system, creating a fraudulent affirmation will be the type of thing that keeps us in masks for a very long time.”
Setu Kulkarni, vice president, strategy at NTT Application Security, saw this as a case of poor software design. Kulkarni said this demonstrates that software architects and development teams should keep basic confidentiality, integrity and availability (CIA) requirements in mind when designing any new application.
“Clearly, with APIs, it has become easy to design applications that have the power to change the way we access public services in trying times like now,” Kulkarni said. “But with great power comes great responsibility — going back to the drawing board to ensure basic CIA principles are accounted for while continuing to test applications in production is the way to responsibly develop and maintain applications.”