A Sydney-based software engineer has worked out a way to create a passable forgery of Australia’s digital COVID-19 vaccine certificates.
And he reckons it can be done in just 10 minutes using free software.
Richard Nelson told ABC News an “obvious” security flaw allowed him to make a copy of the proof-of-jab feature in the Medicare app with anyone’s details on it – no vaccine required.
His version even contains the anti-forgery animation used in the background of the certificates.
Nelson said he found the security flaw while playing around on the Medicare app one night.
“It’s a very basic flaw. I thought surely there would be some kind of mitigation to stop this kind of attack, but there wasn’t,” he told the national broadcaster.
“I don’t think it’s a good idea to get it out there among the anti-vax crowd.
“People who don’t have a valid certificate can fairly easily present one — the implications of that are left up to the imagination.”
Just in case our imagination isn’t vivid enough, this means unvaccinated people could use the app to travel internationally when the time comes, chucking a huge spanner in the works for the rest of us by potentially prolonging travel restrictions.
Not to mention risking lives.
This should not be anywhere near this easy to fool (I’m not vaccinated.. yet) pic.twitter.com/faTQws7XhX
— Richard Nelson (@wabzqem) August 18, 2021
Once he realised how easy it was to trick the app, he notified the government with detailed instructions, but told ABC News he has not heard back.
Travel Weekly has reached out to the Department of Health and the office of Employment Minister Stuart Robert, who is responsible for data and digital policy, but is yet to receive a response.
However, a spokesman for Robert told ABC News the government is continuously updating the proof of vaccine certificates.
“The government will continue to iteratively update the proof of vaccination certificates … including bolstering security measures,” the spokesman said.
According to ABC News, other security experts confirmed the flaw should have been picked up in a basic security audit.