[BreachExchange] Private proof-of-vaccine app Portpass continues to expose personal data even after relaunch and updates Social Sharing Facebook Twitter Email Reddit

[Terrell Byrd]

https://www.cbc.ca/news/canada/calgary/portpass-app-proof-of-vaccination-unsecured-data-update-1.6229034

Personal information belonging to more than 17,000 users of the private
proof-of-vaccination app Portpass is still unsecured and visible online —
including, in some cases, photos of drivers' licences and passports —
despite assurances from the company that its data-security problems have
been fixed.

The Calgary-based smartphone app was temporarily taken offline in late
September after CBC News initially reported that users' data was unsecured
and accessible on the internet to anyone who knew where to look.

The app relaunched in October and the Portpass website assured users that
it protects their "health privacy and data security at the highest level"
and that "your data and information is kept secure at all times."

But several experts in software development have since reached out to CBC
News with concerns that users' data was still accessible.

CBC News was able to independently confirm that the records of more than
17,000 users were still unsecured after the relaunch. The confirmation was
done by using an automated script to scan the information that was
accessible online without storing all of the users' personal information.

By examining a sample of those records, CBC News was able to view
text-based data showing users' names, phone numbers, email addresses, dates
of birth, vaccination status and, in some cases, Alberta health-care
numbers.

Some records also included photos of users and their personal
identification documents. Among the images were drivers' licences from
British Columbia, Alberta, Saskatchewan and Ontario, as well as a Canadian
passport, a U.S. passport and a federal Indian status card.

CBC News was able to view at least a dozen different photo IDs in the past
week, some of which were accessible for days at a time. (The original
images were temporarily stored by CBC News and then deleted; only blurred
versions with identifying details obscured were kept.)

The Calgary-based app, which invites users to upload personal information
so it can act as a proof-of-vaccination system for people who want to go to
restaurants, concerts and other events that require attendees to be
immunized against COVID-19, launched before governments in Alberta and
Ontario created their own apps.

Portpass was widely used before it was temporarily taken down in late
September amid the initial flurry of privacy concerns.

The Calgary Flames briefly promoted the app as the "preferred and fastest"
method for fans attending games at the Saddledome to prove their
vaccination status, but removed that recommendation after security flaws
came to light.

CEO considered pulling the plug
CBC News contacted Portpass CEO Zak Hussein on Monday about the unsecured
data. He agreed to an interview on Tuesday evening, in which he said he had
no idea the users' records were still accessible.

"I was unaware of that," Hussein said. "That's crazy."

At that point, Hussein said he was considering pulling the plug on
Portpass, especially considering Alberta and Ontario have since launched
their own apps.

>From Oct. 14: Ontario's vaccine verification app for businesses now
available
"Maybe we need to just take down this app, because there's just all this
going on and it's not worth it," he said. "I mean, I haven't even made a
dollar on this."

Hussein said he needed to talk to his software developer about next steps.

Maybe we need to just take down this app, because there's just all this
going on and it's not worth it. I mean, I haven't even made a dollar on
this.
- Zak Hussein, Portpass CEO
"I'm just going to tell them to turn off the app," he said.

CBC News agreed to give Hussein a day to sort that out, and not publish
anything about the ongoing data exposure in the meantime, in order to limit
potential risk to users whose personal information remained unsecured.

Hussein did not take the app down, however, and instead updated the
software Wednesday with a note reading "Improved security of the app."

Update 'does nothing,' critics say
As of Thursday afternoon, however, user data remained available online,
albeit through a different method than before.

"This update essentially does nothing," said Rida F'kih, a Calgary-based
software developer who noticed the vulnerabilities in the Portpass app.

"The user data is still completely accessible."

Conrad Yeung, a Calgary-based web developer who also noted the Portpass
app's vulnerabilities after its relaunch, said advanced skills were not
needed to view users' private information and even a "beginner" could
figure it out.

"Somebody who finished a five- to 10-hour course on the internet … would be
able to access the information that I was able to access," he said.

After the app's Wednesday update, a third person anonymously sent a tip to
CBC News detailing how they were able to access user data, as well.

Given the ongoing exposure of personal information, the fact that a growing
number of people have independently figured out how to access it, and the
company's decision not to take down the app, CBC News has decided to no
longer wait and publish this story now.

CBC News reached out to Hussein again on Thursday morning but has yet to
receive a reply.

Privacy commissioner investigating
The Office of the Information and Privacy Commissioner (OIPC) of Alberta
has said it was in contact with Portpass after the initial data-security
concerns in September, and it reminded the company of its responsibility to
report any information breaches.

The OIPC said Thursday it has since received a new complaint about
Portpass, which is now part of an "open investigation."

Calgary police also conducted an investigation, which they said had
concluded Monday. They said they found no evidence of any "criminal attacks
or data breaches on the Portpass app."

Police said Thursday they have received no additional complaints since then
about anything criminal in nature regarding the app. They said concerns
about general data security would fall to the privacy commissioner's office.

In an Oct. 8 note on its website, the company acknowledged users' privacy
concerns and apologized for "any undue stress this may have caused."

"We have been made aware of potential unauthorized viewings and we want to
ensure that we have taken immediate steps and measures to verify that any
potential threats have been mitigated and eliminated," the company note
said.

User 'shell shocked'
One Calgary resident who signed up for the app says he's especially
frustrated because he emailed Portpass on Oct. 4 to ask whether his data
was exposed.

He received a reply from Hussein, the CEO, within two minutes.

"You were not affected and your data was not stored," Hussein said in the
email, which was shared with CBC News. "We have removed it and are also
awaiting to show facts through our audits."

But, as recently as Thursday, this user's name, email address, phone
number, date of birth and vaccination status remained accessible online.

"I'm shell shocked," said the user. CBC News has agreed not to name him,
because he still worries about his personal information being misused.

"I just feel like my digital identity is so vulnerable at this point. And
now I have to go and figure out a way of correcting that."

'Easily exploitable'
F'kih, the software developer, said the ongoing security lapses in the
Portpass app are entry-level errors.

"Some very basic kinds of considerations that any, I believe, competent
software developer would make were missed."

He said the app is "easily exploitable" and that bad actors would not need
advanced knowledge of computers to take advantage of the vulnerabilities.
He noted that users' data could be collected and sold online to aid in
identity theft, credit fraud, spam marketing or other illegal or unethical
purposes.

F'kih said it's hard to know if any bad actors have already accessed the
data, but the longer it's available online, the greater the chance it falls
into the wrong hands.

Some very basic kinds of considerations that any, I believe, competent
software developer would make were missed.
-  Rida F'kih, Calgary-based software developer
"Any chance above zero, with this kind of information, is unacceptable."

It's especially troublesome, he said, because by his estimation, Portpass
has about 17,000 to 18,000 registered users, all of whom appear to be
affected by the data exposure.

As well, people have continued to sign up for the app as recently as this
week.

A previously cited figure of 650,000 users actually refers to the number of
pre-registered users, Hussein clarified in his Tuesday evening interview,
not the number of people who actually downloaded and signed up for the app.

CEO won't say who developed app
When asked who did the software development for Portpass, Hussein replied:
"Oh, it's here in Calgary, but I wouldn't want to bring up their name."

However, F'kih says that conflicts with additional exposed information that
reveals the account name of a back-end developer.

>From there, F'kih was able to find a person by the same name with a
LinkedIn account describing himself as a freelance web developer based in
Pakistan. He lists the development of the Portpass app as one of his
completed jobs.

Though he said there's nothing wrong with outsourcing work, F'kih says it's
the job of a CEO to "make sure that the application that you're sending out
is safe."

F'kih said he was motivated to highlight the app's security flaws because
he worries about users' personal data being stolen and misused, and he's
seen no effective actions taken by Portpass to correct the problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211029/a6c3032b/attachment.html>