A Security Bug in Health App Docket Exposed COVID-19 Vaccine Records

In the health app, there is a security flaw. In New Jersey and Utah, where the app was endorsed by state officials, Docket revealed the private information of citizens who had been vaccinated against COVID-19. By obtaining vaccination records from their state’s health department, Docket allows users to download and carry a digital copy of their vaccinations. The information on the digital copy is identical to that on the paper COVID-19 card, but it is digitally signed by the state to avoid fraud. 

The docket is one of many vaccine passports available in the United States, which let citizens present their immunization records — or a scannable QR code — to get access to events, restaurants, and countries where vaccinations are necessary.

However, for a brief period, the app permitted anybody to view the QR codes of other vaccinated users, as well as all of the personal and vaccination information included inside. Names, dates of birth, and information regarding a person’s COVID-19 vaccination status, such as which vaccine type they got and when were all included. On Tuesday, TechCrunch identified the flaw and promptly alerted the firm. The fault was repaired at the server level a few hours later, according to Docket CEO Michael Perretta.

The flaw was discovered in the Docket app’s request to its servers for the user’s QR code. The server generates the user’s QR code in the form of a SMART Health Card, which is a globally acknowledged standard for confirming a person’s immunization status. The QR code is linked to a user ID, which is not displayed in the app but can see by inspecting the app’s network traffic using free tools such as Burp Suite or Charles Proxy.

Docket’s servers, on the other hand, were not verifying to see if the user requesting a QR code was authorized to do so. That meant that any app user might modify his or her user ID and request the QR code of someone else. Worse, because Docket user IDs are sequential, new QR codes May enumerated simply by altering a single digit in the user ID. It is unclear if the flaw was noticed by anybody else. According to Perretta, the organization is “currently investigating records to ascertain if there was any malicious activity on the platform.” Perretta also stated that the corporation was planning to alert state agencies of the security violation, but did not specify whether the company intended to notify its users.

In a statement, Nancy Kearney, a representative for the New Jersey Department of Health, said, our vendor, Docket, advised the New Jersey Department of Health of a coding vulnerability relating to the latest release of a QR code connected with the app. Docket told the Department that the vulnerability in the code had been detected and repaired. The app’s other features were unaffected. Docket users’ privacy and security remain important. The docket is now looking into any indications of possible records that have been hacked. The Department is still working with Docket to ensure that they maintain their attention on this issue.

The Minnesota Department of Health did not respond to a request for comment. (MN citizens can get a Docket, but the state has not yet implemented QR codes.) A representative for the Utah Department of Health, Tom Hudachko, said:

The Utah Department of Health is dedicated to protecting Utah citizens’ privacy, and it expects its contractors and partners to do the same. Docket informed us [Tuesday] of a problem in their system that might allow users to get personal information from other users. The docket has told us that the flaw has been detected and that the problem has rectified.