Perretta said the company is “currently in the process of reviewing logs to determine if there was any malicious activity on the platform.” Perretta also said that the company was working to inform state governments about the lapse but did not say if the company planned to notify its users of the security lapse. It’s not known if anyone else discovered the bug. Worse, Docket user IDs are sequential, and so new QR codes could be enumerated simply by changing the user ID by a single digit. That meant it was possible for any app user to change their user ID and request someone else’s QR code.
How Jamaica failed to handle its JamCOVID scandalīut Docket’s servers weren’t checking to make sure the person requesting a QR code was allowed to request it.Fearing coronavirus, a Michigan college is tracking its students with a flawed app.A bug in a medical startup’s website put thousands of COVID-19 test results at risk.That included names, dates of birth and information about a person’s COVID-19 vaccination status, such as which type of vaccine they received and when. Docket is one of several so-called vaccine passports in the U.S., allowing residents to show their vaccination records - or a scannable QR code - for getting into events, restaurants or crossing into countries where vaccines are required.īut for a time, the app allowed anyone access to the QR codes of other vaccinated users - and all the personal and vaccine information encoded within. The digital copy has the same information as the COVID-19 paper card, but is digitally signed by the state to prevent forgeries. A security bug in the health app Docket exposed the private information of residents vaccinated against COVID-19 in New Jersey and Utah, where the app received endorsements from state officials.ĭocket lets residents download and carry a digital copy of their immunizations by pulling their vaccination records from their state’s health authority.