Canadian digital health pass easily spoofed, exposed data, developer claims

A web developer in Calgary, Canada created a fake vaccination credential under the name of an actor using a promotional image for a movie using the PORTpass digital health pass, according to a Tweet.

Conrad Yeung says he was testing the app, and used the first spoof materials he could find, with immediate success.

PORTpass has been recommended by the Calgary Sports and Entertainment Corporation (CSEC), which owns the city’s big-league sports franchises, for use meeting the pandemic mitigation rules for access to its events. Yeung further says the app does not use blockchain as claimed, and that he could access the system’s backend because its website did not properly apply SSL security. Finally, he claimed that he had discovered the personal information of Canadian held by the app is stored on an Amazon EC2 server in Ohio, rather than in Canada as the developer states.

An attempt to use the digital health pass before a recent NHL preseason game was also abandoned due to technical difficulties, CTV News reports. Yeung’s fake account reportedly stopped working around the same time.

The company then issued a statement denying social media reports that suggested its database was exposed. The database includes driver’s license data and other personal information for thousands, possibly hundreds of thousands of users, according to the CBC.

“The statements made are unequivocally untrue and PORTpass will be working with local authorities to take action against this malicious misinformation, and the submission of fraudulent documents,” the company said in the statement. “Documents uploaded for proof of vaccination and test results go through both manual review and machine learning analysis, and are securely used with Amazon Web Services.”

PORTpass CEO Zakir Hussein acknowledged that the app has “holes” and said the company is working on addressing them. He also said there are more than 650,000 registered PORTpass users.

A security expert interviewed by CTV was able to register with a United States Library of Congress card instead of scanning his provincial driver’s license as directed.

Alberta Health says it is developing its own QR code-based proof of vaccination solution.

Article Topics

biometrics  |  digital ID  |  digital identity  |  health passes  |  mobile app  |  PORTpass  |  spoofing