from tomorrow, as soon as it is obliged to show green pass For access to activities and public places, the application VerificaC19 Will be used to scan millions and millions of QR codes related to green certificate. we know How does this work and how it controls while protecting it privacy of citizen. Now we also know that it is affected by what can be called a serious bug.
A serious bug for the Verification C19 application
This problem was brought to light by Niccol Segato, an engineering student at the Milan Polytechnic, in the section. issues of the project on GitHub. Affects download version on devices Android, not for iOS. Below is a translated version of the report.
in the application
AndroidTo change the validity of the certificate simply change the date of the device. For example, by bringing forward the date of the device, an already expired certificate can be verified.
so that’s enough change date To get different results from the verification process.
To change the result of verification from the system settings it is enough to change the date of the device. It has been tested with a certificate issued 11 days after the first dose of vaccine, therefore not yet valid by law, therefore not yet validated by application on a device with a correctly scheduled date manner has been recognized. Postponing it for 15 days after the first dose, so from the certificate’s validity date, doing a new scan gives a positive result.
what is possible Solution? This is provided by the same author of the report, who suggests obtaining the date and time required to perform the check from a central server or in any case from a source other than the device itself.
The date and time must be obtained from a single, authenticated source, such as a government server, rather than from the device itself.
The use of VerificationC19 is also guaranteed offline, so in the absence of internet connection (up to 24 hours), this measure is unlikely to occur without affecting the operational methods declared so far.
Common sense should suffice to understand this, but for the avoidance of doubt we put it in black and white: The existence of the problem does not authorize it to be exploited to circumvent or replace the controls.. It is necessary to underline considering the need to include general question Question Answer on Institutional Website Is it possible to fake or tamper with the COVID-19 Green Certification?
.
Updates: As pointed out by a reader to whom we thank, the problem is of interest iOS version too of app.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.
