‘Incomplete threat modelling’ blamed for credential forgery vulnerability

A mobile app developed by New York State to store records of Covid-19 vaccinations was vulnerable to credential forgery, security researchers at NCC Group have discovered.

The New York State (NYS) Excelsior Pass Vaccine Passport credential forgery bug arose because of “incomplete threat modelling and consideration of where and how the systems could be abused rather than a technical limitation”, NCC researcher Siddarth Adukia told The Daily Swig.

More specifically, the NYS Excelsior Scanner app verified credentials correctly, but the Wallet app did not validate these credentials until a recently developed fix was released.

This was a problem because “some venues don’t use the Scanner app or ignore the verification results and trust the seemingly legitimate data on a user’s device, leaving the technology open to abuse”, NCC warned.

Proof-of-vaccine forgery

The researchers discovered that someone could potentially use the security flaw to access venues that require proof of Covid-19 vaccination without having had any jabs by using forged credentials added to a mobile wallet app.

An August 20 software update, prompted by NCC’s research, guards against this trickery.


Catch up on the latest coronavirus security news and analysis


Leisure and hospitality venues in New York have a responsibility to check credentials, as documentation of the NYS Excelsior Pass website explains.

“It is critical that venues use the Scanner app to validate vaccine credentials,” Adukia explained.

“Locking the Wallet application down to prevent the storage of fake credentials makes it harder for someone to present them convincingly, but venues could just as easily accept fake paper vaccination cards if they are not diligent.”

The researcher added: “It’s a fine line between making the technology hard to abuse, and using it correctly.”

Trust, but verify

NCC came across the issue during a wider study into Covid-19 ‘vaccine passport’ applications.

“We wanted to gauge the extent to which a user’s privacy would be affected by using them, and the degree of trust that they should place on digital vaccine credential systems as a result,” Adukia, a technical director at NCC Group explained.


RECOMMENDED Jenkins project succumbs to ‘mass exploitation’ of critical Atlassian Confluence vulnerability


NCC published a technical advisory into its research on the NYS Excelsior Pass in a detailed technical advisory last week.

Lessons learned

Adukia argued that the findings offered lessons that others in the process of rolling out vaccine pass systems should bear in mind.

“All developers of vaccine credential systems should consider how this technology could be subverted on a social level, before taking proactive steps to curb such actions and make it harder to abuse the system,” the researcher said.

“This could involve threat modelling how the apps are used, their technical and non-technical aspects, and education for the individuals and venues that use the app.

“It should also involve collecting and using the least amount of data required and other data minimisation principles where possible.”


RELATED French government visa website hit by cyber-attack that exposed applicants’ personal data