Flaw discovered in the Quebec COVID passport app’s verification method

A flaw has recently been found in Quebec’s VaxiCode Verif COVID-19 vaccine passport app.

Indeed, this could lead to the risks of not publishing source code for outside scrutiny before a government-backed application is released. However, experts declared that the Quebec government missed a good opportunity to publish the source code of the applications it produced for the sake of transparency. Discovering the flaw showed that a greater number of experts analyzing it can improve significantly the security of this kind of application.

Weaknesses in the security in the app’s QR code mechanism were also found out previously, which was used to link to a provincial government URL with an individual’s vaccine health record. The flaw allowed the application to be forced to recognize non-government-issued QR codes as valid.

By updating the app, it will remove the functionality of downloading public keys from the issuer’s URL. Hence, using existing standards and technologies will ensure both signature security and interoperability between regions using the SMART Health Cards protocol.

It was then reported that the flaw was fixed quickly, showing the desire to have a secure system.