Vaccine passport app exposed hundreds of thousands of users' personal data

&gt; Hussein said Tuesday morning that the breach only lasted for minutes, and repeated that claim when CBC pointed out it had reviewed the personal information for more than an hour — and it&#x27;s unknown how long the information was exposed before that tip was received.<p>That person doesn&#x27;t make the impression that they&#x27;re honest and humble enough to handle people&#x27;s personal information.<p>&gt; Alberta currently does not have an official proof-of-vaccination app, and the province&#x27;s PDF vaccine record has been criticized for being easy to edit.<p>This confused me. Don&#x27;t they have a QR code that gets read and verified and must match the person&#x27;s name?

An important detail - this was a third party app, NOT an official government one. So, people were essentially uploading their PII to <i>some guy&#x27;s</i> server and hoping for the best.<p>This is what we all feared, and hoped wouldn&#x27;t happen. But here it is.

Still waiting on info on the vaccine passport app for Ontario, which is supposed to be rolled out on Oct 22. I&#x27;m hoping it&#x27;ll be open source, but no one&#x27;s mentioned it. Lot of potential for logging where everyone&#x27;s going with an app like what is being proposed.<p>Edit:<p>Looks like the BC one is not open source, can&#x27;t find it on GitHub: <a href="https:&#x2F;&#x2F;github.com&#x2F;bcgov" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;bcgov</a><p>I can&#x27;t find the Quebec gov GitHub account, so no idea on that. Probably closed as well.

I just returned from Zurich[1] which involved, of course, two pair of International entry&#x2F;exit.<p>While I was there, I availed myself of rapid antigen testing and my proof of vaccination with the canton of Zurich to attend several jazz shows and concerts (!) unmasked and with no covid restrictions.<p>I used QR codes throughout.<p>QR codes printed on paper, QR codes on a website that I pulled up in my phones browser, and once I even used a <i>picture of a QR code in my photoreel that I pinch-zoomed into and properly scanned</i>.[2]<p>It appears that there is no use for, nor appetite for, covid vaccine passport apps.<p>This makes me very happy because I have envisioned, through the entire pandemic, some perfect storm of pairing a smartphone to yourself, as an individual, and tying identification to it and being forced to register the phone and the app and yourself and the SIM card ... and <i>what a mess</i> that would end up being.<p>Instead, <i>it appears</i> we are all just going to produce QR codes in whatever way works best for us and if the scanner beeps and turns green, nobody cares what else is going on.<p>[1] <a href="https:&#x2F;&#x2F;twitter.com&#x2F;rsyncnet&#x2F;status&#x2F;1435981763864584201" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;rsyncnet&#x2F;status&#x2F;1435981763864584201</a><p>[2] ... and just to be clear, the photograph showed an entire printout with my name, etc., on it - so it still was a proof of identitiy. Once that was cleared up, she zoomed in on the QR code and scanned. Easy.

&quot;Earlier in the day, the Calgary-based company&#x27;s CEO Zakir Hussein had denied the app had verification or security issues and accused those who raised concerns about it of breaking the law.&quot; ...<p>&quot;&#x27;Someone that&#x27;s out there is trying to destroy us here, and we&#x27;re trying to build something good for people,&quot; he said.&#x27; ... &#x27;There&#x27;s holes, and what I&#x27;m realizing is I think there are some things that we need to fix here. And you know, we&#x27;re trying to play catch-up, I guess, and trying to figure out where these holes are.&#x27; &quot;<p>We&#x27;re trying to do something good, so when someone discovers we&#x27;ve done something bad, they&#x27;re automatically trying to destroy us. Uh huh....

The first party asserts information a to third party which only the second party can verify.<p>If the second party has no awareness of the third party or of a relationship between the first and third parties, how can the third party access the second party&#x27;s verification without the ability to access the information of any first party?

Change title to what the article actually is instead of fueling misinformation with a generic title:<p><i>Portpass app may have exposed hundreds of thousands of users&#x27; personal data</i>

With all of these breaches, back doors, on device scanning etc, I just assume that anything digital of mine is public.<p>Don’t digitalize anything that you don’t want to share with the entire planet.

Let’s think outside the box a bit here. If we see a few more of these leaks, it’s reasonable to assume that they’re leaked on purpose.<p>Why? So that vaccination status won’t be private health data anymore, it will slowly work it’s way towards being public information.<p>With the data public, non-compliers can be harassed, threatened or worse without governments having to lift a finger to oppress them.

I am from Canada (not Alberta) and am waiting for an in-depth analysis of how this breach works.<p>The quotes from the CEO makes the development team has not carry out the basis of well-known security practices. The CEO denied the issue but the app has been offline. Playing catch up is too late. Security is something you stay ahead of the game continuously.

these apps are going to be complete garbage as far as security and privacy goes and we all know it.

I think El Salvador&#x27;s Vaccine passport is the one of the best around.

I have a great solution for not having to worry about your data being leaked from these apps: don&#x27;t install them. Fuck COVID passports.

Working as designed?

It&#x27;s almost like granting access to people&#x27;s medical records would cause problems. Who would have thought?<p>Authoritarians were insanely opportunistic in using this Chinese virus to ruin people&#x27;s lives.

I&#x27;m old enough to remember back when those of us who said vaccine passports were coming were conspiracy theorists, now we&#x27;re calmly talking about implementation details.