Digital COVID-19 vaccination proof can be faked, Flaw discovered by Security Researchers

September 16, 2021
Digital COVID-19 vaccination proof faked Bug Flaw Security Researchers

A digital COVID-19 vaccine certificate can be faked, as warned by Richard Nelson, an Australian software engineer. This Australian digital contact-tracing program has serious flaws, according to the researcher, who is part of an independent cybersecurity group. This tactic can be done through Express Medicare, a government-operated application. He has sent a bug report to the in-charge developers of the app to no avail. 

The federal government agency called Services Australia, the developer of the Express Medicare app has failed to respond to the security researchers upon being sent a detailed vaccine certificate concerns on Twitter last August 18. Due to inaction from the developers, researchers start worrying about this issue being used by those campaigning against vaccines for reprehensible purposes. Moreover, falsified certificates can create a more significant risk to public health. 

Services Australia has established a means for people to present their immunization status via a government application put on their mobile phones. On the other hand, individuals can likewise download an advanced immunization declaration and transfer it into Apple’s Wallet or Google’s Compensation applications. The state of New South Wales has recommended that these approaches may be included in its Service NSW app as digital vaccination evidence. 


Verification Issues

The Express Medicare Plus is the application that has been found with a bug. It is developed to let the public connect with several government services. The government has just implemented a facility that allows users to retrieve their COVID-19 vaccination status from an Australian Immunization Register. The app will display the user’s name, birthday, and a report on their immunization status. 

Few weeks after the feature is added to the application, researchers have decided to investigate whether the said application can be reliable. It took researchers a short amount of time to figure out the issue wherein it can be manipulated to show that a user has been vaccinated even though they are not. The problem has been reported quickly, but researchers have not received any response.  

However, analysts have not revealed a comprehensive clarification of how the application can be controlled.


They expressed that the application won’t confirm the genuine status of a client’s COVID-19 vaccination status and that it won’t check if the person who is sending the information is real.


They added that the fix to this issue will include an architectural security fix that guarantees verification for both of the mentioned issues. 

The code to fix the application is reported to be open and available as regions like the EU have managed to solve the bugs that the application in Australia has. 


Researchers suggest improving the process of reporting issues

Services Australia’s federal government agency has stated that they do not respond to escalated security issues. Still, they do work closely with authorities which can resolve the relevant problems.  

Since the researchers have found it challenging to get any response from those to who they have sent details of the issues, they concluded that it is mostly about not having a proper process to reach out to the authorized people about similar technical matters. 

About the author

Leave a Reply