Another app introduced in a country during the COVID pandemic has turned out to be unfit to perform the task of safely managing people’s most sensitive personal data.
The makers of Portpass, an app used in Canada as proof of vaccination, are accused by the media of implementing sloppy security on their website that may have led to personal data belonging to hundreds of thousands of people getting exposed on the web. Reports say that this data was stored in plain text on the site, and unencrypted.
CBC News writes that it received a tip about this and was able to reproduce the steps necessary to access user profiles and their name, email addresses, date of birth, blood type, and photos from their passports or driver’s license submitted as proof of identity.
The broadcaster said it was an easy process, but would not reveal how to access the profiles in order to protect people using Portpass.
The report, published on Tuesday, was preceded by an exchange between CBC and Portpass CEO Zakir Hussein the day before, when he was warned about the vulnerabilities that security researchers describe as basic mistakes, and when he was given time until next morning to start fixing the issues and protect the data.
Hussein shortly before that said the app does not have security or verification problems. He has also revealed that it is used by over 650,000 across the country.
The conversation with the broadcaster on Monday night resulted in the web app, portpassportal.com, getting shut down and showing visitors a “network error” message.
The next day, Hussein said that personal data of the app’s users was only exposed for several minutes, but CBC contradicted that by saying they were able to access the profiles for over an hour while investigating the claim of a security vulnerability.
One of the businesses who recommended the use of Portpass was NHL’s Calgary Flames owner Calgary Sports and Entertainment Corporation (CSEC), who told fans they should use Portpass to prove they are vaccinated before being allowed to enter the arena. CSEC has since removed the recommendation from its own website.
Security analyst Ritesh Kotak is quoted as saying, “These were exactly the privacy and security concerns I’ve previously raised when it comes to using third-party apps,” and adding:
“You’ve gotta ask yourself, ‘Where’s the data housed? Who has access to it? Is it encrypted?’… If this gets out to the wrong individuals it opens them up to fraud, identity theft and a whole other world of potential issues.”