A security bug in health app Docket exposed COVID-19 vaccine records

The bug, now fixed, allowed access to other people's vaccination records

A security bug in the health app Docket exposed the private information of residents vaccinated against COVID-19 in New Jersey and Utah, where the app received endorsements from state officials.

Docket lets residents download and carry a digital copy of their immunizations by pulling their vaccination records from their state’s health authority. The digital copy has the same information as the COVID-19 paper card, but is digitally signed by the state to prevent forgeries. Docket is one of several so-called vaccine passports in the U.S., allowing residents to show their vaccination records — or a scannable QR code — for getting into events, restaurants or crossing into countries where vaccines are required.

But for a time, the app allowed anyone access to the QR codes of other vaccinated users — and all the personal and vaccine information encoded within. That included names, dates of birth and information about a person’s COVID-19 vaccination status, such as which type of vaccine they received and when.

TechCrunch discovered the bug on Tuesday and immediately contacted the company. Docket chief executive Michael Perretta said the bug was fixed at the server level a few hours later.

The bug was found in how the Docket app requests the user’s QR code from its servers. The user’s QR code is generated on the server in the form of a SMART Health Card, a widely accepted standard for validating a person’s vaccination status across the world. That QR code is tied to a user ID, which isn’t visible from the app, but can be viewed by looking at its network traffic using off-the-shelf software like Burp Suite or Charles Proxy.

Read more on TechCrunch

But Docket’s servers weren’t checking to make sure the person requesting a QR code was allowed to request it. That meant it was possible for any app user to change their user ID and request someone else’s QR code. Worse, Docket user IDs are sequential, and so new QR codes could be enumerated simply by changing the user ID by a single digit.

It’s not known if anyone else discovered the bug. Perretta said the company is “currently in the process of reviewing logs to determine if there was any malicious activity on the platform.” Perretta also said that the company was working to inform state governments about the lapse but did not say if the company planned to notify its users of the security lapse.

Nancy Kearney, a spokesperson for New Jersey’s Department of Health, said in a statement:

The New Jersey Department of Health was notified by our vendor, Docket, of a code vulnerability related to the recent release of a QR code associated with the app. Docket assured the Department that they identified and fixed the vulnerability within the code. No other functionality of the app was affected. The privacy and security of Docket users remains paramount. At this time, Docket is investigating for any indication of potential records that could have been compromised. The Department continues to work with Docket to ensure their ongoing vigilance on this matter.

A spokesperson for Minnesota’s Department of Health also not reply. (Docket is available for Minnesota residents, but the state has not yet deployed QR codes.)

Tom Hudachko, a spokesperson for Utah’s Department of Health, said:

The Utah Department of Health is committed to ensuring the privacy of Utah residents and expects its contractors and partners to maintain the same commitment. Docket notified us [Tuesday] of a bug within its system that could potentially allow users to receive the personal information of other users. Docket has assured us they have identified what caused the bug and have resolved this issue.

“We are working with Docket, and our own data security teams to identify any users that may have had their information inappropriately shared and provide appropriate notification to those individuals,” said Hudachko.

But questions remain about how the bug slipped through to begin with. It’s not known exactly how many vaccinated people’s records were at risk. Last week, Docket said in a since-deleted tweet that it had reached one million users. New Jersey and Utah have a combined 8.5 million residents who have received at least one dose of the COVID-19 vaccine at the time of writing.

Perretta would not say, when asked, what kind of security testing was done on Docket before its launch.

Utah’s Hudachko said that Docket went through a “thorough security review” by the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), two offices housed within the U.S. Department of Health and Human Services (HHS). An ONC spokesperson deferred comment to CMS and HHS, neither of which responded to our requests for comment.

The Centers for Disease Control and Prevention (CDC), which approved the app, also did not respond to questions asking if the agency had conducted a security review.

Docket isn’t the only vaccine passport app maker that’s faced security issues. The bug found in the Docket app is a nearly identical issue found in an app called Aura, which exposed thousands of QR codes containing the vaccination status of staff and students. And earlier this year, the Calgary-based proof-of-vaccination app Portpass exposed the personal information of hundreds of thousands of people after leaving its website unsecured, while one hacker was able to create an entirely fake vaccine passport using Quebec’s official proof-of-vaccination app.