The Belgian data protection authority is investigating a potential vulnerability in validating Covid Safe tickets in the CovidScan app. More than 39,000 people may have been affected.
The data protection authority itself announced a possible security vulnerability on Wednesday, several Belgian media outlets wrote, including Morning. The CovidScan app is used to read and validate QR codes from the Belgian CovidSafe app. With this QR code, people can prove that they have been vaccinated or tested for the coronavirus, or that they have previously had the coronavirus itself, in order to gain access to certain events.
According to GBA, the potential vulnerability exists with a certain encrypted list. People who were vaccinated against the coronavirus, but later tested positive for this virus, will appear. Among these people, their vaccination certificate is suspended, after which they are placed on a Comment List which can be accessed via the web. This list is encrypted, but can still be read via the CovidScan app. According to the GBA, more than 39,000 people have been affected.
Privacy moderator indicates that the problem has been noticed by the citizen, writes Evening. It concerns an employee of the University of Louvain-la-Neuve, who was able to read the comment list, thanks to an encryption key built into the CovidScan app. In theory, this would enable hackers to view a list of data from vaccinated people who tested positive for the coronavirus. According to De Morgen, the GBA says it considers the case “extremely serious” and will “pursue it,” but there are no details yet on possible follow-up actions. As far as is known, the leak has not yet been closed, the newspaper reported.