Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery

Vendor: New York State
Vendor URL: https://play.google.com/store/apps/details?id=gov.ny.its.healthpassport.wallet
Versions affected: 1.2.0
Systems Affected: Android Google Play Store
Author: Siddarth Adukia sid.adukia[at]nccgroup[dot]com

Summary

New York State developed an application called NYS Excelsior Pass Wallet that allows users to acquire and store a COVID-19 vaccine credential. During some research it was discovered that this application does not validate vaccine credentials added to it, allowing forged credentials to be stored by users.

Impact

This issue would allow an individual to create and store fake vaccine credentials in their NYS Excelsior
Pass Wallet that might allow them to gain access to physical spaces (such as businesses and event venues) where they would not be allowed without a vaccine credential, even when they have not received a COVID-19 vaccine.

Details

The Wallet application can add a pass directly by interacting with the NYS servers, or through scanning a QR code or photo. In neither case is the credential verified, allowing forged credentials to be added to the Wallet. Screenshots of forged credentials are included; these may be scanned by the Wallet app and added as a legitimate pass.

If a business does not properly use the NYS Scanner application, or ignores the invalid pass warning in the Scanner app and trusts the pass shown in the Excelsior Wallet app on a user’s smartphone, it could allow individuals to fake vaccine credentials and gain access to physical spaces that are only supposed to be accessible to those with valid, legitimate proof of vaccination.

Fix from Vendor

Vendor informed NCC Group they intend to implement verification for vaccine credentials added to the NYS Excelsior Pass Wallet. This fix was released in the August 20 2021 version of the app.

Recommendation to Users

Update to the latest version of the application.

Users of he NYS Excelsior Pass Scanner (such as businesses and event venues) should take care while scanning presented vaccine credentials to confirm that each presented credential is successfully validated by the Scanner application to ensure that a presented credential is legitimate.

Vendor Communication

2021-04-30 NCC Group starts disclosure to NYS via support form - no response
2021-06-07 NCC Group submits another request to coordinate a disclosure - no response
2021-06-10 NCC Group calls NYS Excelsior support and is instructed to wait or contact the Department of Health 
2021-06-17 NCC Group emails DOH requesting to start disclosure process - no response
2021-06-25 NCC Group emails DOH to follow up on previous email - no response
2021-07-08 NCC Group emails DOH and requests acknowledgment - no response 
2021-07-16 NCC Group emails NYS ITS Cyber command center requesting to start a disclosure 
2021-07-20 NYS ITS sets up meeting to discuss vulnerabilities
2021-07-21 NCC Group meets with NYS ITS team and shares vulnerabilities and recommends fixes
2021-07-21 NYS ITS sends email with patch details and date 
2021-08-20 Patch released
2021-09-01 Advisory published

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  2021-09-01

Written by:  Siddarth Adukia

[Editor’s note: The disclosure timeline on this post was updated September 2 2021 to correct the patch date which was incorrectly noted in the original post. This was also corrected in the “Fix from Vendor” section. The issue was patched on August 20 2021; the original advisory had stated that it was August 12 2021]