A security bug in the health app Docket exposed the private information of residents vaccinated against COVID-19 in New Jersey and Utah, where the app received endorsements from state officials. From a report: Docket lets residents download and carry a digital copy of their immunizations by pulling their vaccination records from their state’s health authority. The digital copy has the same information as the COVID-19 paper card, but is digitally signed by the state to prevent forgeries. Docket is one of several so-called vaccine passports in the U.S., allowing residents to show their vaccination records — or a scannable QR code — for getting into events, restaurants or crossing into countries where vaccines are required.

But for a time, the app allowed anyone access to the QR codes of other vaccinated users — and all the personal and vaccine information encoded within. That included names, dates of birth and information about a person’s COVID-19 vaccination status, such as which type of vaccine they received and when. TechCrunch discovered the bug on Tuesday and immediately contacted the company. Docket chief executive Michael Perretta said the bug was fixed at the server level a few hours later. The bug was found in how the Docket app requests the user’s QR code from its servers. The user’s QR code is generated on the server in the form of a SMART Health Card, a widely accepted standard for validating a person’s vaccination status across the world. That QR code is tied to a user ID, which isn’t visible from the app, but can be viewed by looking at its network traffic using off-the-shelf software like Burp Suite or Charles Proxy.

Read more of this story at Slashdot.

Source: Slashdot – A Security Bug in Health App Docket Exposed COVID-19 Vaccine Records