Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy

Vendor: New York State Vendor URL: https://covid19vaccine.health.ny.gov/excelsior-pass Versions affected: iOS 1.4.1, Android 1.4.1 Systems Affected: iOS, Android Author: Dan Hastings dan.hastings[at]nccgroup[dot]trust Advisory URL / CVE Identifier: Risk: Information Leakage Summary The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior … Continue reading Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy

Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery

Vendor: New York State Vendor URL: https://play.google.com/store/apps/details?id=gov.ny.its.healthpassport.wallet Versions affected: 1.2.0 Systems Affected: Android Google Play Store Author: Siddarth Adukia sid.adukia[at]nccgroup[dot]com Summary New York State developed an application called NYS Excelsior Pass Wallet that allows users to acquire and store a COVID-19 vaccine credential. During some research it was discovered that this application does not validate … Continue reading Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery