Sensitive data from QR code can be scanned without owner's knowledgeSee original GitHub issue
- Bug is not mentioned in the FAQ
- Bug is not already reported in another issue
The FAQ says:
Der QR-Code enthält dieselben Daten wie das digitale COVID-Zertifikat der EU. Bei der Überprüfung des QR-Codes mit der CovPassCheck-App werden jedoch nur der Status des Zertifikats, der Name, der Vorname und das Geburtsdatum angezeigt.
The above statement only holds for the official CovPassCheck app, but not for custom-built variants of the same app.
- Device name: any
- OS version: any
- App version: any
Describe the bug
It is trivial to modify the CovPassCheck app so that it displays not only the name, transcribed name and birthday, but also the other information contained in the QR code.
Assuming that a owner of a CovPass certificate does not trust the user of “the” CovPassCheck app that the CovPassCheck app is indeed the official version that only displays the above-mentioned limited information, how can the owner of the certificate prove that the certificate is indeed valid, without disclosing the sensitive health information from the QR code to the user of “the” CovPassCheck app?
Should the owner of the QR code ask the user of “the” CovPassCheck app for a proof that the app is downloaded from a verified source? And if so, how can the owner of the QR code be reasonably sure that anything shown on the CovPasCheck phone is trustworthy?
Steps to reproduce the issue
Build CovPassCheck with a modified
CovCertificate.birthDateFormatted property that shows the sensitive data from the certificate instead of the birth date.
The CovPass app offers different QR codes for typical validation scenarios. Each of these QR codes is digitally signed and contains only the necessary data for the specific kind of validation. Alternatively, the sensitive data is encrypted or protected in another way, to prevent unauthorized disclosure.
- Created 2 years ago
- Comments:11 (4 by maintainers)
Top GitHub Comments
The dutch system is build with these concerns in mind. There are 2 different QR Codes: One for international travel and one for inside The Netherlands only. The dutch QR Code has way more privacy features build in, to name a few:
- 30 seconds short live QR Code to make tracking across different locations impossible
- Only the first letter of the first name, last name and birth month, birth date is shown (and one of these is randomly not shown, this changes randomly with the short live QR). By shown I also mean that this is the only information stored in the QR Code. So there is no way to use another app and get more information.
- There is no information on the Vaccination, Recovery, Test. Only if valid or not valid.
Here are a few links to the Dutch FAQ for more information:
@rillig thanks for reporting. This topic has already been discussed in various other tickets. It is a known issue and the topic is in discussion with the EU. I don’t have further information on the current state of those discussions but maybe @alexcimander or @molk-ibm know more? Sadly this topic can’t move forward without modifications of the EU COVID Certificate schema. All member states need to agree on a standard that will be used otherwise those certificates will not be valid when traveling in the EU.