Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Sensitive data from QR code can be scanned without owner's knowledge

See original GitHub issue

Avoid duplicates

  • Bug is not mentioned in the FAQ
  • Bug is not already reported in another issue

The FAQ says:

Der QR-Code enthält dieselben Daten wie das digitale COVID-Zertifikat der EU. Bei der Überprüfung des QR-Codes mit der CovPassCheck-App werden jedoch nur der Status des Zertifikats, der Name, der Vorname und das Geburtsdatum angezeigt.

The above statement only holds for the official CovPassCheck app, but not for custom-built variants of the same app.

Technical details

  • Device name: any
  • OS version: any
  • App version: any

Describe the bug

It is trivial to modify the CovPassCheck app so that it displays not only the name, transcribed name and birthday, but also the other information contained in the QR code.

Assuming that a owner of a CovPass certificate does not trust the user of “the” CovPassCheck app that the CovPassCheck app is indeed the official version that only displays the above-mentioned limited information, how can the owner of the certificate prove that the certificate is indeed valid, without disclosing the sensitive health information from the QR code to the user of “the” CovPassCheck app?

Should the owner of the QR code ask the user of “the” CovPassCheck app for a proof that the app is downloaded from a verified source? And if so, how can the owner of the QR code be reasonably sure that anything shown on the CovPasCheck phone is trustworthy?

Steps to reproduce the issue

Build CovPassCheck with a modified CovCertificate.birthDateFormatted property that shows the sensitive data from the certificate instead of the birth date.

Expected behaviour

The CovPass app offers different QR codes for typical validation scenarios. Each of these QR codes is digitally signed and contains only the necessary data for the specific kind of validation. Alternatively, the sensitive data is encrypted or protected in another way, to prevent unauthorized disclosure.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:11 (4 by maintainers)

github_iconTop GitHub Comments

BengtHagemeistercommented, Jan 17, 2022

The dutch system is build with these concerns in mind. There are 2 different QR Codes: One for international travel and one for inside The Netherlands only. The dutch QR Code has way more privacy features build in, to name a few:

  • 30 seconds short live QR Code to make tracking across different locations impossible
  • Only the first letter of the first name, last name and birth month, birth date is shown (and one of these is randomly not shown, this changes randomly with the short live QR). By shown I also mean that this is the only information stored in the QR Code. So there is no way to use another app and get more information.
  • There is no information on the Vaccination, Recovery, Test. Only if valid or not valid.

Here are a few links to the Dutch FAQ for more information:

timokoenigcommented, Dec 26, 2021

@rillig thanks for reporting. This topic has already been discussed in various other tickets. It is a known issue and the topic is in discussion with the EU. I don’t have further information on the current state of those discussions but maybe @alexcimander or @molk-ibm know more? Sadly this topic can’t move forward without modifications of the EU COVID Certificate schema. All member states need to agree on a standard that will be used otherwise those certificates will not be valid when traveling in the EU.

Read more comments on GitHub >

github_iconTop Results From Across the Web

4 Ways Scanning QR Codes Can Expose You to Security ...
We're all used to quickly getting information by scanning a QR code. But they're also security and privacy risks. Here's why.
Read more >
The secrets about QR code safety - The Missing Link
Best practices using QR codes · Never scan a randomly found QR code. · Be suspicious if, after scanning a QR code, a...
Read more >
What Is a QR Code? How to Scan and How to Make Your Own
QR code is a two-dimensional matrix barcode that can be read and scanned with compatible devices. Learn more about how to scan it...
Read more >
QR Code Fraud: What is it and How Can You Protect Yourself?
Over the years, QR code scams have become more and more popular amongst cybercriminals. Just by getting you to scan a fake QR...
Read more >
How Restaurants Can Protect Their Business and Customers ...
Since people have become more accustomed to scanning QR codes in restaurants, they may be less wary and more likely to scan a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found