A security loophole detected in the vaccination page which allowed access to third party data

The Health Dpt solved the problem a few days ago and claims no information was leaked

2 min
Vaccination campaign to the HEAD Ramon Turró in Barcelona this weekend.

BarcelonaThe vaccination page used in Catalonia to make or change appointments allowed access to third-party data. The Department of Health solved the problem just over a week ago and claims that during the months this security breach was in place no information was leaked. "There has been no incident in the VacunaCovid page leading to third parties gaining access to information on other citizens," the department stated in response to questions by ARA.

The department claims given the "visibility and importance of the web", it is monitored "proactively", with regular checks to detect any incidents. During this monitoring, "requests for access by third parties outside the defined flow" were detected and analysed to minimise any "technological or operational vulnerability that could affect its operation. An incident was discovered and, together with the Cybersecurity Agency of Catalonia, the necessary improvements were put in place to protect the application and reinforce security. In a subsequent more detailed analysis of what had happened, the technicians detected the existence of "a vulnerability in one of the components of the solution that entailed a risk of exposure of data identifying people and vaccination appointments".

Initially, the department had admitted that the problem had been detected thanks to a user's warning. "After a citizen expressed his concern, it was analysed and a decision was made to limit as much as possible the information presented when checking a future appointment. Thus, any personal data has been removed and only those concerning the appointment have been left", the department replied to explain how this security loophole was solved, although they later attributed the detection of the problem to the website's monitoring.

The user told the authorities that the page allowed "very easy access by unauthorized third parties to other citizens' vaccination data, health card number, mobile phone number, email address, full name, appointment for vaccination...". It was not a simple operation, it required some computer knowledge, but by accessing the browser console within the vaccination page could modify ID number and thus access third parties' personal data, without the need for an identification code or validation via SMS. A few days after the complaint reached the department, this possibility was disabled and thus the problem was solved, which could have allowed a massive data dump generating a sequence ID numbers in an automated way.

The case of Madrid

A week ago, Telemadrid reported that the website enabled by Madrid region to obtain the digital certificate covid or request an appointment for vaccination had publicly exposed personal data of thousands of citizens, including king Felipe VI and Pedro Sánchez. According to the regional TV station's information, you only had to the person's ID number to access personal information such as telephone number or Social Security number. Madrid government denied that "any citizen" could access "confidential information such as clinical data of the king", but admitted a "vulnerability of security in the functionality of the portal".