AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
Flaws have been uncovered in a vaccine passport iOS app, after security researchers and hackers have shown there are many security issues with Quebec's mobile verification system.
Quebec has released its VaxiCode app, a COVID-19 vaccination passport intended to provide a way to prove a person's vaccination status via their iPhone. Shortly after its release, the security of the system as a whole has already come into question.
A computer programmer identified as "Louis" successfully disproved claims by Quebec's digital transformation minister, Eric Caire, that the QR codes generated by the system "cannot be falsified, modified, or copied." In a CBC report, the man managed to create a fake proof of vaccination for a person who did not exist.
After storing the proof in the VaxiCode app, the proof was then able to fool the VaxiCode Verif companion app, intended for businesses to verify the documentation.
"Honestly, I am surprised that I was able to penetrate the system so easily," said the programmer.
The security issues aren't just limited to creating fake proof. On Thursday, it was reported a group of hackers were able to acquire the QR codes for Premier Francois Legault, Mayor Valerie Plante, Quebec health minister Christian Dube, along with proofs of provincial opposition leasers and minister Caire.
The QR codes contain a number of pieces of information, including names, dates of birth, dates of vaccination, and the types of vaccines used. Caire downplayed the issue, maintaining the system is safe to use.
The system was intended to be as simple as possible to encourage adoption, but Caire says the province could make the process of obtaining a QR code more complex for improved security.
Caire also says that citizens will also have to show photo identification to go to venues that require a vaccination passport. "The heart of the story is to prove your identity," said Caire. "I want it to be very clear, the QR code has not been falsified, it has not been modified, and it remains secure."
Quebec is mandating the use of vaccination passports for a number of activities from September 1, including sitting in a bar or restaurant, going to a festival or gym, and other situations with a high risk of transmission.
The issues have led to a letter being sent from Quebec Solidare spokesperson Gabriel Nadeau-Dubois to Quebec Premier Legault, calling the situation an "unforgivable mess." The letter asks the premier to fix the breach, "otherwise, suspending the vaccine passport until a long-term solution is found will need to be considered."