A security bug in the Docket app exposed COVID-19 vaccine records in Utah and New Jersey, TechCrunch reported Oct. 27.
Six notes:
- The app, widely described as a vaccine passport, allows residents to pull vaccination records from their state's health department and carry a digital copy of the record on their smartphone. App users are able to show their QR code to gain access to locations that require proof of vaccination against COVID-19.
- A vulnerability in the app allowed anyone to access QR codes of vaccinated users and the personal information stored in the code, according to the report. An app user could change their user ID and request someone else's QR code. Docket's user IDs are in sequential order, so codes could be emulated by changing the ID number by a single digit, TechCrunch reported.
- Exposed data includes names, birth dates and COVID-19 vaccine-related information.
- Docket CEO Michael Perretta said the vulnerability was fixed a few hours after TechCrunch notified the company. Mr. Perretta told TechCrunch that it is "reviewing logs to determine if there was any malicious activity on the platform."
- Nancy Kearney, a spokesperson for the New Jersey Department of Health, told TechCrunch the department was informed of the breach by Docket.
"No other functionality of the app was affected," Ms. Kearney said. "The privacy and security of Docket users remain paramount. At this time, Docket is investigating for any indication of potential records that could have been compromised. The Department continues to work with Docket to ensure their ongoing vigilance on this matter." - Tom Hudachko, a spokesperson for the Utah Department of Health, told TechCrunch that it was also notified by Docket.
"Docket has assured us they have identified what caused the bug and have resolved this issue," Mr. Hudachko said. "We are working with Docket and our own data security teams to identify any users that may have had their information inappropriately shared and provide appropriate notification to those individuals."