The Government Made Australia’s Vaccine Certificates Way Too Easy To Forge

The Government Made Australia’s Vaccine Certificates Way Too Easy To Forge
Image: Getty

As if Australia’s bungled vaccine rollout wasn’t already bad enough, it turns out the federal government’s COVID-19 vaccine digital certificate is shockingly easy (and free) to forge.

Firstly, Gizmodo Australia is in no way recommending you should forge a vaccine certificate. 

Sydney-based software engineer Richard Nelson has found a painfully obvious security flaw in the Express Plus Medicare app system that allowed him to make a certificate without being vaccinated.

Nelson found the flaw, which allowed him to make a vaccine certificate for any name and date of birth, while messing around in the app one night. But it’s even more concerning because the forged certificates also include the background animations that have been implemented to prevent people from faking the certificates.

“It’s a very basic flaw,” he told the ABC. “I thought surely there would be some kind of mitigation to stop this kind of attack, but there wasn’t.”

Nelson immediately notified the government of the flaw after discovering it and sent them a detailed guide on how he was able to produce a forged certificate. However, he is yet to hear back.

“I don’t think it’s a good idea to get it out there among the anti-vax crowd,” he told the ABC.

“People who don’t have a valid certificate can fairly easily present one — the implications of that are left up to the imagination.”

In a statement provided to the ABC, a spokesperson for Minister Stuart Robert said the government has “iteratively updated proof of vaccine certificates”.

“The government will continue to iteratively update the proof of vaccination certificates… including bolstering security measures,” the spokesperson said, not making it clear whether or not the issue has or will be resolved.

Interestingly, this isn’t even the first time somebody has found a security risk with the vaccine certificates. Senator Rex Patrick previously identified that the PDF versions of the certificates could be easily mimicked in Photoshop. However, the new vulnerability is also able to copy the animated security features, thus making it more of an issue.

The federal government is yet to confirm whether or not it is working on a new version of the vaccine certificate.

Gizmodo Australia has reached out to Stuart Robert’s office for comment.