Vendor: New York State Vendor URL: https://covid19vaccine.health.ny.gov/excelsior-pass Versions affected: iOS 1.4.1, Android 1.4.1 Systems Affected: iOS, Android Author: Dan Hastings dan.hastings[at]nccgroup[dot]trust Advisory URL / CVE Identifier: Risk: Information Leakage
Fix from Vendor
Recommendation to Scanner App Users
Update to the latest version of the application.
2021-04-30 Starts disclosure to NYS via support form - no response 2021-06-07 Submits another request to coordinate a disclosure - no response 2021-06-10 Calls NYS Excelsior support and is instructed to wait or contact the Department of Health 2021-06-17 Emails DOH requesting to start disclosure process - no response 2021-06-25 Emails DOH to follow up on previous email - no response 2021-07-08 Emails DOH and requests acknowledgment - no response 2021-07-16 Emails NYS ITS Cyber command center requesting to start a disclosure 2021-07-20 ITS sets up meeting to discuss vulnerability’s 2021-07-21 Meets with ITS team and shares vulnerabilities and recommends fixes 2021-07-21 ITS sends email with patch details and date 2021-08-12 Patch released 2021-09-01 Advisory publication
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 2021-09-01
Written by: Dan Hastings