In the corona pandemic, tests that are as comprehensive as possible are considered to be one of the most important tools for containing it, and these are correspondingly numerous. But now it comes out that there has been a serious data protection breach in Germany and Austria.
Name, address, date of birth, citizenship, ID number and Corona test result: According to the Chaos Computer Club (CCC), which immediately reported the vulnerability to the responsible authorities, due to a security gap, all of this sensitive data was insufficiently protected on the Internet. Several corona test centres in Germany and Austria were affected, specifically more than 136,000 Covid-19 test results from more than 80,000 people.
“Digital snapshots” to blame
The explanation is banal and frightening at the same time, because according to the CCC, digitization deficiencies and “digital snapshots” were responsible. The focus of the current affair is the Viennese company Medicus.ai. This provides an “all-round carefree website” for test centres under the name Safe play, which can be used to book appointments and issue online test certificates.
In terms of security, however, there were obviously significant deficiencies, according to the CCC: “Anyone who created an account on the platform could see all test results and personal data of other users without hindrance.” The vulnerability was discovered via a Berlin test centre, the solution from Medicus.ai was not only used in public facilities in the German capital, but also in Munich and Carinthia, and fixed and temporary test stations in companies, schools and even daycare centres were also affected.
The “hacking” was actually not, because the strange results could be found by simple manipulation of the URL. “In order to see the complete data of all those tested live, you only had to create an account for a Covid-19 test. The URL for the test result contains the number of the test. If this number was incremented or decremented, the ‘test certificates’ of others became Individuals freely accessible. In addition to the test result, the test certificate also includes the name, date of birth, address, citizenship and ID number of the person concerned, “says the CCC.
According to the CCC security experts, one account could also be used to access a dashboard unhindered and see “to the second” for each test centre when a Covid-19 test was carried out there and what the result was. Medicus.ai has now closed this vulnerability according to its own information. Whether there was an unauthorized access to the data is unclear and can hardly be determined.
Brian is the news author at Research Snipers which mainly covers Technology News, Microsoft News, Google News, Facebook, Apple, Huawei, Xiaomi, and other tech news.