Vaccination certificates at risk of forgery

The federal government’s COVID-19 vaccination certificate can be forged using a widely known technique to bypass the protections.

Fenn Bailey, a software developer in Melbourne, stumbled upon the security flaw this week after reading about other publicised vulnerabilities. He discovered the government was relying on a “high-school grade permissions password” to prevent unauthorised people from being able to alter or copy versions of the vaccination certificates.

Mr Bailey found it was then possible to change a name or the vaccinated status on the certificate. This isn’t the first time a member of the public has found a way to forge a version of the federal government’s vaccination certificate.

But the fact it can be done so easily shows the government did not take basic steps to prevent forgery, Mr Bailey said.

“To anyone who is fairly qualified in this field, the failings are dramatic,” he said.

Other vulnerabilities that allow the certificates to be forged have gone unfixed after being brought to the government’s attention, including a method reported more than two weeks ago. This could create problems when relying on the certificates to grant extra freedoms to the fully vaccinated.

Is there a better, more secure system?

Security experts unanimously say the EU’s vaccine passport system is more secure. The EU passports contains a QR code with a digital signature to protect them against falsification.

When a person enters an EU country, for instance, the border guard scans the QR code and the signature is verified through a serviced called the EU Gateway. The Gateway doesn’t store vaccination data; it only checks the signature is correct.