A simple security vulnerability allowed access to the data of more than 100 test centers. Corona test centers in Germany and Austria are affected by the data leak.
Centers in Germany and Austria affected
The security vulnerability affects several test centers in Germany and Austria, which did not adequately protect patients. The breach allowed access to 136,000 test results and other data such as names, addresses, phone numbers, email addresses, citizenship, passport and ID numbers, and birth dates of more than 80,000 people. In the process, the gap in Corona test centers was uncovered by the Corona Research project group.
A test was conducted during a visit to the Berlin Corona test center. The results from the test are retrieved after successful registration with an online service. To view the results the tested person goes to the domain 21dx.medicus.ai and can then download a PDF with the results. The problem with the whole thing is that the ID for downloading the result as a PDF was only numbered in ascending order, so by subtraction or addition the test result of another person can also be retrieved and that with all the stored data about the respective person. In order to access the data, it was sufficient to simply register, not even a completed test was necessary for this.
According to the Zerforschung project group, the vulnerability was in the Safeplay software. Safeplay is a complete solution for Corona test centers, which is offered by the Viennese startup Medicus.ai as a software-as-a-service. This software is used by test center operator 21dx, which in turn operates a full 15 centers in Germany and also Austria, including vaccination centers.
Not the first security vulnerability
In total, however, not only these 15 test centers are affected by the security flaw, but more than 100, according to the Chaos Computer Club (CCC). In a press release, through which the CCC, the data protection NGO Epicenter.works from Austria and research made the gap known, it goes on to say, “These include public facilities in Munich, Berlin and Carinthia as well as fixed and temporary test stations in companies, schools and even daycare centers.” Initially, of course, the report was made to Medicus.ai, which now claims to have fixed the security flaw; the BSI (German Federal Office for Information Security and Technology) and the CERT.at were also notified of the security leak.
CCC spokesman Linus Neumann also referred to last year’s vulnerabilities, saying, “This is not the first and certainly not the last security hole in hastily crafted Corona IT.” Neumann also criticized, “If catastrophic rookie mistakes happen even with such simple tasks, those responsible should do their homework first. Instead, the next thing you know, several million euros will be sunk into questionable blockchain proofs of vaccination.” Meanwhile, the Zerforschung project group hopes that the obvious vulnerabilities have not already been exploited by others. Trust in data security must now be rebuilt. To that end, Zerforschung writes, “Some of that trust would also be regained if government agencies didn’t buy into everything simply because it says AI or blockchain.”