Again problems in Austria
The central corona test platform of the Austrian Ministry of Health had a serious security problem: All pharmacies that use the platform Oesterreich-testet.at participate, could not only call up the data of the people who had tested themselves, but also access all tests from the past seven days. “This gap makes it possible to call up the name, address, social security number, telephone number, email and corona test result of potentially hundreds of thousands of people across Austria”, reports the digital NGO Epicenter.Works.
By changing the web address (URL), it was possible to access the other test data. Thomas Lohninger from Epicenter.Works compares the pharmacy test system with ATMs. “I don’t understand how such a trivial security gap has not been noticed for so long,” Lohninger continues.
Questionable dealings with security researchers
The error was discovered by a web developer who worked for a pharmacy connected to the system. When the matter was reported to the Ministry of Health, no one initially responded. In addition, he turned to the ORF. When the Austrian broadcaster ORF asked the ministry, the ministry blocked the pharmacy and subsequently released the developer. Epicenter.Works points to the established system of “responsible disclosure” – also to report security gaps first to those affected and only make them public when they have had time to fix them. The organization emphasizes that the developer behaved absolutely correctly, which he immediately informed the responsible authorities. “Instead of thanking him, the Ministry of Health made sure that he lost his job,” the organization continued.
Opposite to the standard However, the ministry insisted that the problem was not software dying, but “unlawful use of internal documentation systems by a single pharmacy”. At the same time, however, the ministry announced “adjustments”. The problem has now been resolved. The responsible company says that they cannot determine any further unauthorized data retrievals based on the log files.
Not the first problem with corona data
There were already problems a few weeks ago when Austria’s central reporting system for corona data had a serious problem. According to a joint research of the newspaper Der Standard and the civil rights organization Epicenter.Works at that time it was possible for unauthorized persons to query personal data and import false laboratory results.
Access to the interface to the epidemiological reporting system (EMS) was possible through a non-personalized certificate. Anyone who had such a certificate could access the system. According to the research, there were more than 225 such certificates in circulation, at least one went to a laboratory company that shouldn’t have been around for several months. There was no binding to laboratory IP addresses, which would have limited access.
Disclosure:
Thomas Lohninger occasionally writes for netzpolitik.org.