Medicare app flaw means vaccine certificates can be faked in less than 10 minutes

A flaw has been discovered in the Express Plus Medicare app that allows people to fake their Covid vaccination certificates in under 10 minutes.

Once Australians get both doses of the Covid-19 vaccine, they are able to show a certificate on the app that includes their name, date of birth, and which vaccine they received.

The prime minister, Scott Morrison, last month described it as “a credible and effective and easily usable digital vaccination certificate which can be provided to Australians”.

The certificate has a digital animation behind it, which is designed to prevent people presenting fake versions, but Sydney software engineer Richard Nelson discovered he was able to exploit a security flaw in the app and provide it with fake vaccine information that looked identical to the real thing.

Nelson attempted to inform Services Australia about the flaw, but found it difficult to contact the department directly. He has not received a response. He reported it to the Australian Signals Directorate, the government body that oversees intelligence and cybersecurity risk. He received acknowledgment of his contact, but no response.

Frustrated, this week he tweeted another demonstration of the flaw, this one showing he was able to trick the app into presenting a “certificate” for vaccinations using hydroxychloroquine and ivermectin – neither of which are vaccines. The fake was made as a joke and used federal MP Craig Kelly as the subject. Kelly was not involved in any way with the production of the certificate.

Nelson said the main issue with the certificate was that there was no way for restaurants or other venues to verify it was legitimate, if it became a requirement for entry.

“If we’re going to allow vaccinated people to do things we currently cannot do, such as enter a restaurant, there has to be a way for the restaurant owner to verify what they’re being shown is trusted, without invading individuals’ privacy,” he said.

Services Australia spokesperson Hank Jongen did not indicate when the app would be fixed. He said the agency was “continually evolving proof of vaccination certificates, including strengthening security measures”.

“We have contemporary cybersecurity in place to protect people’s personal information. This includes robust monitoring and fraud detection mechanisms that protect people’s Medicare details, including Covid-19 digital certificates.

“We are working with the Australian cybersecurity centre, who are providing cybersecurity guidance to government entities to support vaccine certificate initiatives.”

Jongen said the current version of the digital certificate had “several anti-fraud measures”, and the security flaw did not mean Medicare systems or personal data was compromised.

New South Wales is already looking to include the certificate in its Service NSW app, so people will be able to present the certificate when they check in with a QR code.

NSW digital and customer service minister Victor Dominello tweeted on Friday he would unveil a prototype of the proposed update on Monday.

Nelson said Australia should look to adopt a similar system to that used in the European Union, where people have a QR code either on their phone or in paper form, that restaurants and other venues can scan to ensure the person is vaccinated.

Nelson was one of several in the tech community to point out significant flaws in the federal government’s $7m Covidsafe app. This week the Digital Transformation Agency revealed it will hand over total responsibility for the app to the Department of Health, as new documents obtained by the Canberra Times revealed contact tracers found the contact tracing app difficult to use.

The previously redacted report to government by Abt Associates found despite 7 million people downloading the app nationally, including around 2 million in Victoria, just 15% of people who contracted Covid-19 in the state during last year’s second wave had the app, and no new close contacts were found.

Contact tracers told Abt Associates the app data had too many false positives, and was cumbersome to obtain information from to integrate into existing contact tracing methods.

Since its launch in April 2020, the app has only directly identified 17 close contacts in New South Wales not found through manual contact tracing.