Another failure in the verification of proof of vaccination of the ConectSUS application appeared this Sunday (23). When the app is offline, it validates fake QR Codes and can even display tampered messages. The discovery was shared with Tecnoblog exclusively. This is the second issue in the tool revealed during this week.
The flaw was found by information security specialist Conrado Gouvêa. The problem only happens on Android and is more restricted to a specific scenario unlike the flaw revealed this Monday (24), which made the application return “OK” for any QR Code read.
No internet, app doesn’t check code
The problem happens when entering the application, turning off the device’s internet connections and trying to validate a forged QR Code.
Conrado explains that the QR Code of the vaccination certificate is a JSON Web Token. This means that it is a JSON, simple data exchange format, digitally signed.
“Ideally, [ConnectSUS] would verify the digital signature, so only valid JWT would be recognized as valid, and would have data displayed on the screen”, says the expert.
The problem is that when offline, the app doesn’t validate that signature and shows whatever is in the JSON. Thus, it is possible to forge a code “by creating a JSON in the format expected by the app (or modifying a valid QR code), with a random signature”, says Conrado.
Reproducing the glitch is not so simple. As we said, it only occurs on Android. It is necessary to open ConectSUS while still connected to the Internet, because the app downloads a file necessary for the checks — without it, they all fail. Then, with Wi-Fi and 4G turned off, it is possible to read the fake QR Code: the application displays the information recorded in it.