Vendor: New York State Vendor URL: https://covid19vaccine.health.ny.gov/excelsior-pass Versions affected: iOS 1.4.1, Android 1.4.1 Systems Affected: iOS, Android Author: Dan Hastings dan.hastings[at]nccgroup[dot]trust Advisory URL / CVE Identifier: Risk: Information Leakage
Fix from Vendor
Recommendation to Scanner App Users
Update to the latest version of the application.
2021-04-30 Starts disclosure to NYS via support form - no response 2021-06-07 Submits another request to coordinate a disclosure - no response 2021-06-10 Calls NYS Excelsior support and is instructed to wait or contact the Department of Health 2021-06-17 Emails DOH requesting to start disclosure process - no response 2021-06-25 Emails DOH to follow up on previous email - no response 2021-07-08 Emails DOH and requests acknowledgment - no response 2021-07-16 Emails NYS ITS Cyber command center requesting to start a disclosure 2021-07-20 ITS sets up meeting to discuss vulnerability’s 2021-07-21 Meets with ITS team and shares vulnerabilities and recommends fixes 2021-07-21 ITS sends email with patch details and date 2021-08-12 Patch released 2021-09-01 Advisory publication
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 2021-09-01
Written by: Dan Hastings