The ConectSUS app, from the Ministry of Health, has a security flaw that allows the validation of the vaccine certificate against covid-19 by reading any QR Code. The error opens a gap for non-immunized individuals to circumvent the issuance of the vaccine passport, a document that attests to the immunization required by several states to allow entry into events or establishments.

The problem was discovered by the “Saiba Mais” news agency, and confirmed by tilt. In response, the Ministry of Health reported “that it identified the failure on Monday (24), and with maximum agility carried out the update of the QR-Code validation component of the ConectSUS application”.

The folder added that the “tool is working normally on the website and in the Android and iOS app stores”. Yet, tilt tested the QR Code reader again this morning and found that the problem still persists, even updating the app.

The report again questioned the Ministry of Health and awaits a return.

How does failure occur?

By accessing ConectSUS, those immunized can issue the “Covid-19 Vaccination Certificate”. The document consists of a QR Code, which can be scanned to attest to its veracity.

ConectSUS validates any QR Code as a true vaccine certificate Image: Reproduction

The problem is that ConectSUS validates any type of QR Code as true, not just the one generated by the application itself when issuing the certificate.

This opens the possibility for document falsification, as it is possible for non-immunized people to present non-original vaccine passports with any code. And the app will validate it anyway.

In the test carried out by the report, we use ConectSUS to read two QR Codes. One generated by WhatsApp Web and one random from a free code creation site.

In both cases, the application presented the word “OK” in the reading, as if they were really codes of original vaccination certificates.

Is it another attack or programming error?

For Hiago Kin, president of Abraseci (Brazilian Association of Cyber ​​Security), the problem must not be the result of some type of attack, but a failure in the application’s programming.

“I think it’s a development and testing issue, especially with the mechanism that responds to the application and the scanner’s output,” he suggests.

He says that the app seems to validate the QR Code without consulting its database to know if that code is really true.

“Every QR Code generates coded information that, when read, is decoded. From there, the process should be to consult this code in a database. With that, then, there should be a return on the success or failure of the search. The application seems to be successful without having consulted the base first, but only when reading the QR code”, he explains.

Pedro Saliba, researcher at Associação Data Privacy Brasil, also agrees that the case appears to involve a system error.

“Usually attacks on information systems by organized groups are publicized, as this guarantees a certain honor to the community”, he points out. “Possibly it’s a programming flaw.”

For Saliba, the discovery once again exposes the fragility of the Ministry of Health’s information security system, something that has become recurrent in the pandemic.

“What is important to point out is the repeated insecurity of information promoted by the Ministry of Health. The attack that made the systems unavailable in December 2021 was not the first: the website was changed to expose the fragility of the system in February 2021, data personal data of public persons such as Manuela D’Ávila and Átila Iamarino were changed, in addition to exposing the data of 243 million people in December 2020”, he stressed.

What is evident is a lack of zeal for the principles of information security: availability, completeness, confidentiality and authenticity”.

Pedro Saliba, Data Privacy Brazil.

The latest hacker attack

The ConectSUS application was down for 13 days after the hacker attack that the Ministry of Health suffered at the end of 2021. The tool returned on December 23, with instability.

The normal return with all its features, including proof of vaccination, took place on the 27th of the same month.

On December 10, the Ministry of Health website dawned with a “defacement” (a kind of virtual graffiti): a group left a message saying that it had erased data and demanding a payment to return the system.

After the illegal access, the ministry’s internet network was shut down. The attackers managed to gain access to the cloud service used by the folder, AWS (from Amazon), and managed to delete and change data from the ConectSUS platform, according to Tales Faria, columnist and head of UOL’s Brasília branch.

The case is investigated by the PF (Federal Police) and MPF (Federal Public Prosecutor).