A security flaw in the health application Docket disclosed the personal data of citizens of Utah and New Jersey who had been immunized against COVID-19. Docket obtains immunization data from their state’s health department to allow users to view and keep digital proof of their vaccinations.
The data on the digital copy is identical to the data available on the print COVID-19 card, however, it is electronically verified by the state to prevent fraud. This electronic vaccine passport will let individuals display their immunization history or a scannable QR code to attend events and visit restaurants, and nations where displaying a vaccine passport is compulsory.
For a limited period, the app permitted anybody to view the QR codes and private vaccination data of immunized users including Name, birth date, and data regarding a person’s COVID-19 vaccination. The Docket’s servers were not verifying if the user seeking a QR code was authorized to do so.
This could be a huge security flaw that allows hackers to access users’ immunization details. The security flaw came to light after TechCrunch identified it and promptly alerted the firm. After which the company rectified the flaw a few hours later.