An unprotected online interface shared by several Berlin corona test providers made it possible to openly access the personal data of several hundred thousand people on the Internet. The massive data leak affected personal information such as name, address, telephone number, email address and the results of those tested. In some cases, the numbers of the identity card or passport of the person concerned were also included.
The security gap at the centers, which had come together under the name “Schnelltest Berlin”, discovered the IT collective “Zerforschung”. According to this, the server checked over
https://corona-api.de/ not whether a retrieved test result is that of the associated person. Using the list of people, the IT security experts estimate that almost 700,000 test results from around 400,000 customers were available. The Berlin State Data Protection Authority initially assumed that over 200,000 people were affected at the request of the rbb.
Vaccination certificate for Robert Koch
In the source code, the experts also discovered the endpoints that employees can use to create a new test in the system and save the test result. The server did not check any authorization here either. The hackers put the test to the test and generated a PCR test with a negative result for the 177-year-old Robert Koch. The issued certificate even contained a BärCODE as a supposed security feature, which was also recognized as valid during a scan with the associated test app.
WeCare Services operates the IT infrastructure for the providers of “Schnelltest Berlin”. The security gaps have now been closed, the company said. It is planned to inform those affected at the end of next week. In addition to 15 test centers in the capital that operate under the association name, the association also includes mobile Corona bike test points, which event organizers and clubs often rely on. The researchers had previously also uncovered weaknesses in several other test providers.