Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy

Vendor: New York State
Vendor URL: https://covid19vaccine.health.ny.gov/excelsior-pass
Versions affected: iOS 1.4.1, Android 1.4.1
Systems Affected: iOS, Android
Author: Dan Hastings dan.hastings[at]nccgroup[dot]trust
Advisory URL / CVE Identifier:
Risk: Information Leakage

Summary

The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior wallet app to verify that an individual has either a negative COVID-19 test or their vaccination status. We have found that some data about the businesses/event venues using the app to scan QR codes is also sent to a third-party analytics domain, but that this was not specified in the app’s privacy policy.

Impact

The NYS scanner app’s privacy policy does not match up to the actual data collection practices of the application, resulting in data being sent to an analytics third party that was not specified in advance to users of this app.

Details

The NYS Excelsior scanner privacy policy (https://epass.ny.gov/privacy-scanner) describes that the Business Name, Industry Type and Zip Code are all collected by the scanner app. The policy also states in the “How Data is Used” clause that “App data, , including Business Name, Industry Type, Zip Code, Pass type (vaccination, PCR, antigen), and Scan Result (valid, invalid, expired, pass not found), is collected and stored securely and is only shared with NYS”. 

In a request to the domain https://app-measurement.com (which is used for Google Analytics) the Business Name, Industry Type and Zip Code of the business/event venue using the scanner are all sent, which was not specified in the app’s privacy policy.

Fix from Vendor

Vendor informed NCC Group that updates will be made to the privacy policy to clarify that Business Name, Industry Type and Zip Code data will be shared with third parties.

Recommendation to Scanner App Users

Update to the latest version of the application.

Vendor Communication

2021-04-30 Starts disclosure to NYS via support form - no response
2021-06-07 Submits another request to coordinate a disclosure - no response
2021-06-10 Calls NYS Excelsior support and is instructed to wait or contact the Department of Health 
2021-06-17 Emails DOH requesting to start disclosure process - no response
2021-06-25 Emails DOH to follow up on previous email - no response
2021-07-08 Emails DOH and requests acknowledgment - no response 
2021-07-16 Emails NYS ITS Cyber command center requesting to start a disclosure 
2021-07-20 ITS sets up meeting to discuss vulnerability’s
2021-07-21 Meets with ITS team and shares vulnerabilities and recommends fixes
2021-07-21 ITS sends email with patch details and date 
2021-08-12 Patch released
2021-09-01 Advisory publication 

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: 2021-09-01

Written by: Dan Hastings